colibri | 5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Size

4.9MB
MD5

4cb19f29a50b590b4e049659105ec340
SHA1

80bc53b20a62cf2d790376f121ec32ef2b1dc905
SHA256

5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f
SHA512

53f74cb5cb83953316d0801c003e29c090acf4bb3d28f924ce70c188475dc052844abe7fd06825e068453496a5106f23d81e574c405b8887fa6445a71ed9ddd9
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	1000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1000	schtasks.exe	86

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1892-3-0x000000001BF20000-0x000000001C04E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4380	powershell.exe
4700	powershell.exe
5004	powershell.exe
2520	powershell.exe
1316	powershell.exe
4364	powershell.exe
3488	powershell.exe
4392	powershell.exe
3256	powershell.exe
5088	powershell.exe
1852	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 44 IoCs

pid	Process
3056	tmp8292.tmp.exe
1956	tmp8292.tmp.exe
2156	fontdrvhost.exe
1816	tmpA19F.tmp.exe
4192	tmpA19F.tmp.exe
2348	fontdrvhost.exe
1460	tmpBF87.tmp.exe
2180	tmpBF87.tmp.exe
4444	fontdrvhost.exe
1888	fontdrvhost.exe
1424	tmpF954.tmp.exe
1752	tmpF954.tmp.exe
4372	fontdrvhost.exe
1720	tmp290F.tmp.exe
3284	tmp290F.tmp.exe
3308	fontdrvhost.exe
4288	tmp6D1D.tmp.exe
3064	tmp6D1D.tmp.exe
3848	fontdrvhost.exe
2972	tmp89EC.tmp.exe
2648	tmp89EC.tmp.exe
4908	fontdrvhost.exe
1460	tmpE347.tmp.exe
1652	tmpE347.tmp.exe
4716	tmpE347.tmp.exe
1372	tmpE347.tmp.exe
4340	fontdrvhost.exe
3400	tmp142A.tmp.exe
2984	tmp142A.tmp.exe
824	fontdrvhost.exe
4936	tmp2F73.tmp.exe
3080	tmp2F73.tmp.exe
1016	fontdrvhost.exe
2280	tmp4B76.tmp.exe
4856	tmp4B76.tmp.exe
3604	fontdrvhost.exe
232	tmp6826.tmp.exe
1632	tmp6826.tmp.exe
3980	fontdrvhost.exe
824	tmp98DB.tmp.exe
1540	tmp98DB.tmp.exe
3552	fontdrvhost.exe
740	tmpB646.tmp.exe
2372	tmpB646.tmp.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 1956	3056	tmp8292.tmp.exe	116
PID 1816 set thread context of 4192	1816	tmpA19F.tmp.exe	144
PID 1460 set thread context of 2180	1460	tmpBF87.tmp.exe	150
PID 1424 set thread context of 1752	1424	tmpF954.tmp.exe	160
PID 1720 set thread context of 3284	1720	tmp290F.tmp.exe	167
PID 4288 set thread context of 3064	4288	tmp6D1D.tmp.exe	173
PID 2972 set thread context of 2648	2972	tmp89EC.tmp.exe	180
PID 4716 set thread context of 1372	4716	tmpE347.tmp.exe	188
PID 3400 set thread context of 2984	3400	tmp142A.tmp.exe	197
PID 4936 set thread context of 3080	4936	tmp2F73.tmp.exe	207
PID 2280 set thread context of 4856	2280	tmp4B76.tmp.exe	213
PID 232 set thread context of 1632	232	tmp6826.tmp.exe	219
PID 824 set thread context of 1540	824	tmp98DB.tmp.exe	225
PID 740 set thread context of 2372	740	tmpB646.tmp.exe	234

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\smss.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\69ddcba757bf72	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX8A37.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files\MSBuild\Microsoft\dwm.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\e1ef82546f0b02	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\RCX860E.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\smss.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\dwm.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Program Files\MSBuild\Microsoft\6cb0b6c459d5d3	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCX7D9D.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\ICU\RCX8823.tmp	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File opened for modification	C:\Windows\Globalization\ICU\RuntimeBroker.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Windows\Globalization\ICU\RuntimeBroker.exe	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
File created	C:\Windows\Globalization\ICU\9e8d7a4ca61bd9	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE347.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA19F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp89EC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE347.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp142A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8292.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBF87.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp290F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6D1D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4B76.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp98DB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF954.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE347.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2F73.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6826.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB646.tmp.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1552	schtasks.exe
4848	schtasks.exe
1220	schtasks.exe
1772	schtasks.exe
3284	schtasks.exe
2508	schtasks.exe
2624	schtasks.exe
1816	schtasks.exe
540	schtasks.exe
1720	schtasks.exe
4448	schtasks.exe
3456	schtasks.exe
576	schtasks.exe
2176	schtasks.exe
1336	schtasks.exe
2572	schtasks.exe
4936	schtasks.exe
1728	schtasks.exe
968	schtasks.exe
4828	schtasks.exe
3972	schtasks.exe
5096	schtasks.exe
5016	schtasks.exe
3076	schtasks.exe
1960	schtasks.exe
384	schtasks.exe
4988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
3256	powershell.exe
3256	powershell.exe
4364	powershell.exe
4364	powershell.exe
2520	powershell.exe
2520	powershell.exe
4392	powershell.exe
4392	powershell.exe
1852	powershell.exe
1852	powershell.exe
5088	powershell.exe
3488	powershell.exe
3488	powershell.exe
5088	powershell.exe
5004	powershell.exe
5004	powershell.exe
1316	powershell.exe
1316	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
4364	powershell.exe
3256	powershell.exe
1852	powershell.exe
4392	powershell.exe
3488	powershell.exe
2520	powershell.exe
1316	powershell.exe
5088	powershell.exe
5004	powershell.exe
2156	fontdrvhost.exe
2156	fontdrvhost.exe
2348	fontdrvhost.exe
4444	fontdrvhost.exe
1888	fontdrvhost.exe
4372	fontdrvhost.exe
3308	fontdrvhost.exe
3848	fontdrvhost.exe
4908	fontdrvhost.exe
4340	fontdrvhost.exe
824	fontdrvhost.exe
1016	fontdrvhost.exe
3604	fontdrvhost.exe
3980	fontdrvhost.exe
3552	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	2156	fontdrvhost.exe
Token: SeDebugPrivilege	2348	fontdrvhost.exe
Token: SeDebugPrivilege	4444	fontdrvhost.exe
Token: SeDebugPrivilege	1888	fontdrvhost.exe
Token: SeDebugPrivilege	4372	fontdrvhost.exe
Token: SeDebugPrivilege	3308	fontdrvhost.exe
Token: SeDebugPrivilege	3848	fontdrvhost.exe
Token: SeDebugPrivilege	4908	fontdrvhost.exe
Token: SeDebugPrivilege	4340	fontdrvhost.exe
Token: SeDebugPrivilege	824	fontdrvhost.exe
Token: SeDebugPrivilege	1016	fontdrvhost.exe
Token: SeDebugPrivilege	3604	fontdrvhost.exe
Token: SeDebugPrivilege	3980	fontdrvhost.exe
Token: SeDebugPrivilege	3552	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 3056	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	114
PID 1892 wrote to memory of 3056	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	114
PID 1892 wrote to memory of 3056	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	114
PID 3056 wrote to memory of 1956	3056	tmp8292.tmp.exe	116
PID 3056 wrote to memory of 1956	3056	tmp8292.tmp.exe	116
PID 3056 wrote to memory of 1956	3056	tmp8292.tmp.exe	116
PID 3056 wrote to memory of 1956	3056	tmp8292.tmp.exe	116
PID 3056 wrote to memory of 1956	3056	tmp8292.tmp.exe	116
PID 3056 wrote to memory of 1956	3056	tmp8292.tmp.exe	116
PID 3056 wrote to memory of 1956	3056	tmp8292.tmp.exe	116
PID 1892 wrote to memory of 5004	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	117
PID 1892 wrote to memory of 5004	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	117
PID 1892 wrote to memory of 3256	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	118
PID 1892 wrote to memory of 3256	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	118
PID 1892 wrote to memory of 2520	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	119
PID 1892 wrote to memory of 2520	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	119
PID 1892 wrote to memory of 5088	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	120
PID 1892 wrote to memory of 5088	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	120
PID 1892 wrote to memory of 1316	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	121
PID 1892 wrote to memory of 1316	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	121
PID 1892 wrote to memory of 4392	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	122
PID 1892 wrote to memory of 4392	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	122
PID 1892 wrote to memory of 3488	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	123
PID 1892 wrote to memory of 3488	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	123
PID 1892 wrote to memory of 4700	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	125
PID 1892 wrote to memory of 4700	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	125
PID 1892 wrote to memory of 4364	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	126
PID 1892 wrote to memory of 4364	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	126
PID 1892 wrote to memory of 4380	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	127
PID 1892 wrote to memory of 4380	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	127
PID 1892 wrote to memory of 1852	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	128
PID 1892 wrote to memory of 1852	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	128
PID 1892 wrote to memory of 2156	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	139
PID 1892 wrote to memory of 2156	1892	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe	139
PID 2156 wrote to memory of 1564	2156	fontdrvhost.exe	140
PID 2156 wrote to memory of 1564	2156	fontdrvhost.exe	140
PID 2156 wrote to memory of 2360	2156	fontdrvhost.exe	141
PID 2156 wrote to memory of 2360	2156	fontdrvhost.exe	141
PID 2156 wrote to memory of 1816	2156	fontdrvhost.exe	142
PID 2156 wrote to memory of 1816	2156	fontdrvhost.exe	142
PID 2156 wrote to memory of 1816	2156	fontdrvhost.exe	142
PID 1816 wrote to memory of 4192	1816	tmpA19F.tmp.exe	144
PID 1816 wrote to memory of 4192	1816	tmpA19F.tmp.exe	144
PID 1816 wrote to memory of 4192	1816	tmpA19F.tmp.exe	144
PID 1816 wrote to memory of 4192	1816	tmpA19F.tmp.exe	144
PID 1816 wrote to memory of 4192	1816	tmpA19F.tmp.exe	144
PID 1816 wrote to memory of 4192	1816	tmpA19F.tmp.exe	144
PID 1816 wrote to memory of 4192	1816	tmpA19F.tmp.exe	144
PID 1564 wrote to memory of 2348	1564	WScript.exe	145
PID 1564 wrote to memory of 2348	1564	WScript.exe	145
PID 2348 wrote to memory of 3628	2348	fontdrvhost.exe	146
PID 2348 wrote to memory of 3628	2348	fontdrvhost.exe	146
PID 2348 wrote to memory of 3716	2348	fontdrvhost.exe	147
PID 2348 wrote to memory of 3716	2348	fontdrvhost.exe	147
PID 2348 wrote to memory of 1460	2348	fontdrvhost.exe	148
PID 2348 wrote to memory of 1460	2348	fontdrvhost.exe	148
PID 2348 wrote to memory of 1460	2348	fontdrvhost.exe	148
PID 1460 wrote to memory of 2180	1460	tmpBF87.tmp.exe	150
PID 1460 wrote to memory of 2180	1460	tmpBF87.tmp.exe	150
PID 1460 wrote to memory of 2180	1460	tmpBF87.tmp.exe	150
PID 1460 wrote to memory of 2180	1460	tmpBF87.tmp.exe	150
PID 1460 wrote to memory of 2180	1460	tmpBF87.tmp.exe	150
PID 1460 wrote to memory of 2180	1460	tmpBF87.tmp.exe	150
PID 1460 wrote to memory of 2180	1460	tmpBF87.tmp.exe	150

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe
"C:\Users\Admin\AppData\Local\Temp\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1892
- C:\Users\Admin\AppData\Local\Temp\tmp8292.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8292.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\tmp8292.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp8292.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Recovery\WindowsRE\fontdrvhost.exe
  "C:\Recovery\WindowsRE\fontdrvhost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2156
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d0d4bec-758f-45d4-b574-de1263882bdb.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Recovery\WindowsRE\fontdrvhost.exe
      C:\Recovery\WindowsRE\fontdrvhost.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2348
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0ef1669-fd73-4f08-96f3-200edaa2af43.vbs"
        5⤵
        
        PID:3628
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2665315d-df32-4222-881d-fca580790746.vbs"
        7⤵
        
        PID:2972
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1035971a-98e9-400a-9f41-506061fe99db.vbs"
        9⤵
        
        PID:4404
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3efeea0-2ba1-476f-bf5b-23c36a5e6740.vbs"
        11⤵
        
        PID:4448
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2972947f-bb71-48f1-94f0-a42476201b31.vbs"
        13⤵
        
        PID:4576
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9bab671-577e-4cba-be8a-9d1d3aef479e.vbs"
        15⤵
        
        PID:2688
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a2bf8b6-bf31-4e0f-b147-75e84c7d3510.vbs"
        17⤵
        
        PID:3284
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce3ee472-be87-4bfb-ac04-6fce115df4c9.vbs"
        19⤵
        
        PID:3632
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02633907-a268-46e6-93af-883d2e0dc9ba.vbs"
        21⤵
        
        PID:528
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68daac25-a672-431c-b636-07c5c50bc3a9.vbs"
        23⤵
        
        PID:2220
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5ea50ba-3434-4d8c-b839-f3e359fdc28e.vbs"
        25⤵
        
        PID:1268
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e74aead3-fac3-4955-8817-c20f49b4bb00.vbs"
        27⤵
        
        PID:2688
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cc94019-0377-41fc-85ea-5e13fc19645e.vbs"
        29⤵
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b6d892-927d-4b34-b4b2-cfaa0d307b6e.vbs"
        29⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmpB646.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB646.tmp.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmpB646.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB646.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43e426ab-f438-44e4-9498-22b41e094d54.vbs"
        27⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmp98DB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp98DB.tmp.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp98DB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp98DB.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\122ef2b5-324c-4247-8929-7ac9b3551eaa.vbs"
        25⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp6826.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6826.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\tmp6826.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6826.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef2aec91-7992-4ff3-b715-b3dc37458ecb.vbs"
        23⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\tmp4B76.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4B76.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmp4B76.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4B76.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\624b2df2-d2fa-460d-94b9-b52b1b66b888.vbs"
        21⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp2F73.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2F73.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp2F73.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2F73.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b79819a-7c9c-42cf-bda3-f10223bbbf1c.vbs"
        19⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp142A.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d35b4bb-680a-4efe-b1ff-956b63c34fc1.vbs"
        17⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmpE347.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE347.tmp.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmpE347.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE347.tmp.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmpE347.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE347.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmpE347.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE347.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bbf5787-68e4-4c00-9ce3-41ba73e1fbda.vbs"
        15⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp89EC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp89EC.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\tmp89EC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp89EC.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17a3a682-9a33-4475-b938-46c3bb9562bc.vbs"
        13⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D1D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D1D.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D1D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D1D.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7899b6a-fb82-4b29-b1b8-d5fe7bf62642.vbs"
        11⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp290F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp290F.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp290F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp290F.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\893fbd56-db49-4171-8b0a-0c4e15acf430.vbs"
        9⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmpF954.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF954.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmpF954.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF954.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ca2760e-2556-4d0f-a5e2-9e0f71c1280a.vbs"
        7⤵
        
        PID:3984
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\603873d1-40ec-4028-ba56-80c9d8436a67.vbs"
        5⤵
        
        PID:3716
    - - C:\Users\Admin\AppData\Local\Temp\tmpBF87.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBF87.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Users\Admin\AppData\Local\Temp\tmpBF87.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBF87.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:2180
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81002226-7e33-419f-bbe5-1e43a589a7bc.vbs"
    3⤵
    PID:2360
- - C:\Users\Admin\AppData\Local\Temp\tmpA19F.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpA19F.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\tmpA19F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA19F.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Public\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ICU\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\ICU\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN5" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN5" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4fN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\SppExtComObj.exe

Filesize
4.9MB

MD5
4cb19f29a50b590b4e049659105ec340

SHA1
80bc53b20a62cf2d790376f121ec32ef2b1dc905

SHA256
5f6123163b483cf0d066198718dcf531abedfd43c880ba0252fcf7d55340fa4f

SHA512
53f74cb5cb83953316d0801c003e29c090acf4bb3d28f924ce70c188475dc052844abe7fd06825e068453496a5106f23d81e574c405b8887fa6445a71ed9ddd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1035971a-98e9-400a-9f41-506061fe99db.vbs

Filesize
713B

MD5
7f31d1ec7f6f41d986d909bcdb1d5fbf

SHA1
e634af0932d76ecc57195f041deacad4c88c52ce

SHA256
f3a37fb4031703e03693f2e73a3dd2e27655fef587f5c907e8864d97cc6cad61

SHA512
9885108cf54058dd47e9ea74e6fc768725a55572ec03ba4a2bfc7a768630284685f6ba585c2870502cbd4fa6d0ae0e5abf2128e65dc492c8795603e39a19d2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2665315d-df32-4222-881d-fca580790746.vbs

Filesize
713B

MD5
cf8aedef7056670888e66e59d3cc82a4

SHA1
3bc31249a9ea27487f94c7daefe447d56cd0f87e

SHA256
5944bc0c8afaa27a30bdca87d33bcd44ebbf20f14cb28c4f875cdfb16603033b

SHA512
c5d53a59788b14c056a6140ca43a182e635c48dd9e1ee19e6f434c2b592f2be85eb21489df982a2e16d5059b8e7d8eaa2f13190a59134e31e4ffd016c6817b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\2972947f-bb71-48f1-94f0-a42476201b31.vbs

Filesize
713B

MD5
76fba432569d1dd56046b514c974fafe

SHA1
2f098695dcc0c8ca44de9f7108ed035f3b50b49a

SHA256
df6fc1f5415cceff0e01223cbf18a50e6e141cb884a4be09bc1bcbfafb116600

SHA512
37439403e8c0acda0e6d9b95d6682a08e9b9db7a22daff258c87f648d7b98f62bc63cd024201b6a4ec9cbbc79e5b0a1be6993bbc75c810722b5fac5439860a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a2bf8b6-bf31-4e0f-b147-75e84c7d3510.vbs

Filesize
713B

MD5
80f4d196671dd067260d2262e6cede50

SHA1
b819c0b2faed32b04c3a75d7c459e4a7a3db5bc1

SHA256
d256a889e51a304d5bd3c504391ee6a59659b41f3fe2b8f9973ffd8310ba49df

SHA512
a82f6f66c7705a75701bf2ffa63cf7d653c5e61bf4913139ee45a0c9f361a4334a9d9c063288429410cc2afea0402729e9aca32d16df37bb9d42e34c18a38101

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d0d4bec-758f-45d4-b574-de1263882bdb.vbs

Filesize
713B

MD5
f62c7ff304332b440945b11fb23e8c9c

SHA1
1206a6e03c16464b1799c88d2788cb3a9509e6dc

SHA256
d2ff64914ed4e33970dd12038b085269b54533552d20beccc4c26767b9f67346

SHA512
7656e9b7d1b0122c12f7a8347fc5021ee2da32ae6552c7120fe4f0805d0109f0ad538ffe12227cc09f65e7c0e8568aa1984f1fe0f575734eedf2a072b772cb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81002226-7e33-419f-bbe5-1e43a589a7bc.vbs

Filesize
489B

MD5
55efe8e582bb7ccb668f8d178edd4df1

SHA1
9df40932171eb010961be2da83b0f3cbe998d4f1

SHA256
da3bda6eb717d79367476a2370beafed87152fd1d798a3172284a7c51d3b4581

SHA512
8a36e58f66c04c0c5a2fba38688c6bf4d53219b6868de1d81a2d6be974bf6f098c25af566549039f61f47006632367afee0dc5264242f88782f804bf89d6894e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxdxo4ad.4ez.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0ef1669-fd73-4f08-96f3-200edaa2af43.vbs

Filesize
713B

MD5
80ff2d671de0eaffc7e57f66b861021e

SHA1
3979c916090f6627c77469c60b1b3f7c824c8685

SHA256
5e62a3e6040b067728ba9bfbe38a390df30b5ce90c530776cc4534bf280a2e4c

SHA512
63aec3bce62f294db64c480bc3939f9896497182b6ae913fa2e761761b4cb4618516b1e2fc01bc018f432a31175027fc68c05d0f9d62e66806bbd5e9dc8e1f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3efeea0-2ba1-476f-bf5b-23c36a5e6740.vbs

Filesize
713B

MD5
8400f7c4123f1584bf5de0bd979aeccd

SHA1
13407108f964f8a18609eb324b6ba9f0650b5e5b

SHA256
8590541866726549860f7b9140f954f22533903e8a18c3e45c91d7bc0fb7f7c4

SHA512
15fd359ac1c57a4c29838ff589bd34ba7b546c722d44bb6ac48efb31f1ffc0127503b3bb6b1cc0b10765188829530c05d622a6ecea3473e04d4109484e83c89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9bab671-577e-4cba-be8a-9d1d3aef479e.vbs

Filesize
713B

MD5
0e79f94fa2ff71baa6eac8b75051bf1e

SHA1
4736882d752711281307e11654ce88a88e017137

SHA256
4e246c9f131fb338e0ac8ed4cee908869f661a4729d0e6e4e2a782066edfbd79

SHA512
56ec1961ec8f698a15cb397be6075af309c0b06444874e2923145ab35673501b185a250876c71fb4a1d5dd9bf0ca0e7452bd514ab6d27efaa2fa060ccfead588

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8292.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/1892-5-0x000000001C690000-0x000000001C6E0000-memory.dmp

Filesize
320KB

Download
memory/1892-11-0x000000001BEF0000-0x000000001BF02000-memory.dmp

Filesize
72KB

Download
memory/1892-16-0x000000001C070000-0x000000001C078000-memory.dmp

Filesize
32KB

Download
memory/1892-18-0x000000001C7F0000-0x000000001C7FC000-memory.dmp

Filesize
48KB

Download
memory/1892-14-0x000000001C050000-0x000000001C05E000-memory.dmp

Filesize
56KB

Download
memory/1892-1-0x0000000000C50000-0x0000000001144000-memory.dmp

Filesize
5.0MB

Download
memory/1892-15-0x000000001C060000-0x000000001C06E000-memory.dmp

Filesize
56KB

Download
memory/1892-2-0x00007FFE3D2D0000-0x00007FFE3DD91000-memory.dmp

Filesize
10.8MB

Download
memory/1892-264-0x00007FFE3D2D0000-0x00007FFE3DD91000-memory.dmp

Filesize
10.8MB

Download
memory/1892-13-0x000000001BF00000-0x000000001BF0A000-memory.dmp

Filesize
40KB

Download
memory/1892-12-0x000000001CC10000-0x000000001D138000-memory.dmp

Filesize
5.2MB

Download
memory/1892-17-0x000000001C6E0000-0x000000001C6E8000-memory.dmp

Filesize
32KB

Download
memory/1892-10-0x000000001BEE0000-0x000000001BEEA000-memory.dmp

Filesize
40KB

Download
memory/1892-0-0x00007FFE3D2D3000-0x00007FFE3D2D5000-memory.dmp

Filesize
8KB

Download
memory/1892-8-0x000000001BEB0000-0x000000001BEC6000-memory.dmp

Filesize
88KB

Download
memory/1892-9-0x000000001BED0000-0x000000001BEE0000-memory.dmp

Filesize
64KB

Download
memory/1892-6-0x000000001BE90000-0x000000001BE98000-memory.dmp

Filesize
32KB

Download
memory/1892-7-0x000000001BEA0000-0x000000001BEB0000-memory.dmp

Filesize
64KB

Download
memory/1892-4-0x0000000003460000-0x000000000347C000-memory.dmp

Filesize
112KB

Download
memory/1892-3-0x000000001BF20000-0x000000001C04E000-memory.dmp

Filesize
1.2MB

Download
memory/1956-70-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4364-177-0x0000020159E20000-0x0000020159E42000-memory.dmp

Filesize
136KB

Download