colibri | b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Size

4.9MB
MD5

dc0f33684dad2fbdd9801489c2a24150
SHA1

6c2f859577d7f959f4f0056c9f5a6b2c22ef3333
SHA256

b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55
SHA512

e333c6592b0bb816c1a5c1baa5ea22249eed4fcad54dc5c3e898df00e36390ab025d163136f41ad4a0bb8cc933159b93ad0d15e100ba7dcd3248cfd709152650
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1736	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1736	schtasks.exe	84

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4900-2-0x000000001BA80000-0x000000001BBAE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3120	powershell.exe
2356	powershell.exe
1052	powershell.exe
3944	powershell.exe
3968	powershell.exe
1080	powershell.exe
3768	powershell.exe
4012	powershell.exe
1992	powershell.exe
4980	powershell.exe
1412	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 51 IoCs

pid	Process
4964	tmpE87E.tmp.exe
2308	tmpE87E.tmp.exe
1944	tmpE87E.tmp.exe
1160	tmpE87E.tmp.exe
5108	tmpE87E.tmp.exe
5376	OfficeClickToRun.exe
5720	tmp15D5.tmp.exe
5792	tmp15D5.tmp.exe
5904	OfficeClickToRun.exe
4040	tmp335F.tmp.exe
652	tmp335F.tmp.exe
208	OfficeClickToRun.exe
1944	tmp63E5.tmp.exe
4384	tmp63E5.tmp.exe
4532	OfficeClickToRun.exe
2848	tmp9507.tmp.exe
4964	tmp9507.tmp.exe
3832	OfficeClickToRun.exe
3024	tmpC59D.tmp.exe
5732	tmpC59D.tmp.exe
5776	tmpC59D.tmp.exe
5828	tmpC59D.tmp.exe
6060	OfficeClickToRun.exe
5956	tmpF874.tmp.exe
4976	tmpF874.tmp.exe
4044	OfficeClickToRun.exe
100	tmp1563.tmp.exe
4260	tmp1563.tmp.exe
2008	tmp1563.tmp.exe
1464	OfficeClickToRun.exe
3224	tmp358D.tmp.exe
4796	tmp358D.tmp.exe
3376	tmp358D.tmp.exe
5140	OfficeClickToRun.exe
1300	tmp6623.tmp.exe
5824	tmp6623.tmp.exe
3948	OfficeClickToRun.exe
3596	tmp8275.tmp.exe
2556	tmp8275.tmp.exe
100	OfficeClickToRun.exe
720	tmp9FC1.tmp.exe
4496	tmp9FC1.tmp.exe
4640	OfficeClickToRun.exe
5700	tmpD1CD.tmp.exe
5788	tmpD1CD.tmp.exe
444	OfficeClickToRun.exe
3156	tmpEE4E.tmp.exe
5936	tmpEE4E.tmp.exe
6132	OfficeClickToRun.exe
740	tmp20A9.tmp.exe
3616	tmp20A9.tmp.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 1160 set thread context of 5108	1160	tmpE87E.tmp.exe	110
PID 5720 set thread context of 5792	5720	tmp15D5.tmp.exe	145
PID 4040 set thread context of 652	4040	tmp335F.tmp.exe	151
PID 1944 set thread context of 4384	1944	tmp63E5.tmp.exe	160
PID 2848 set thread context of 4964	2848	tmp9507.tmp.exe	166
PID 5776 set thread context of 5828	5776	tmpC59D.tmp.exe	174
PID 5956 set thread context of 4976	5956	tmpF874.tmp.exe	182
PID 4260 set thread context of 2008	4260	tmp1563.tmp.exe	189
PID 4796 set thread context of 3376	4796	tmp358D.tmp.exe	196
PID 1300 set thread context of 5824	1300	tmp6623.tmp.exe	205
PID 3596 set thread context of 2556	3596	tmp8275.tmp.exe	216
PID 720 set thread context of 4496	720	tmp9FC1.tmp.exe	222
PID 5700 set thread context of 5788	5700	tmpD1CD.tmp.exe	228
PID 3156 set thread context of 5936	3156	tmpEE4E.tmp.exe	234
PID 740 set thread context of 3616	740	tmp20A9.tmp.exe	243

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\RCXE820.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Program Files (x86)\Google\lsass.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Google\lsass.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Program Files (x86)\Google\6203df4a6bafc7	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\ShellComponents\e6c9b481da804f	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Windows\bcastdvr\sppsvc.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Windows\bcastdvr\0a1fd5f707cd16	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Windows\ShellComponents\RCXEA35.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Windows\ShellComponents\OfficeClickToRun.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Windows\bcastdvr\RCXEE6D.tmp	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File opened for modification	C:\Windows\bcastdvr\sppsvc.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
File created	C:\Windows\ShellComponents\OfficeClickToRun.exe	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp63E5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6623.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8275.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE87E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE87E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE87E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp335F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF874.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp358D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp20A9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE87E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC59D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC59D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC59D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1563.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1563.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp358D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEE4E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp15D5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9FC1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD1CD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9507.tmp.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3904	schtasks.exe
3088	schtasks.exe
4676	schtasks.exe
3008	schtasks.exe
3044	schtasks.exe
2560	schtasks.exe
4324	schtasks.exe
2940	schtasks.exe
1688	schtasks.exe
4680	schtasks.exe
1656	schtasks.exe
2592	schtasks.exe
4032	schtasks.exe
2588	schtasks.exe
2004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
3768	powershell.exe
3768	powershell.exe
1992	powershell.exe
1992	powershell.exe
2356	powershell.exe
2356	powershell.exe
1412	powershell.exe
1412	powershell.exe
1052	powershell.exe
1052	powershell.exe
1080	powershell.exe
1080	powershell.exe
4012	powershell.exe
4012	powershell.exe
3968	powershell.exe
3968	powershell.exe
3944	powershell.exe
3944	powershell.exe
4980	powershell.exe
4980	powershell.exe
3120	powershell.exe
3120	powershell.exe
3120	powershell.exe
1052	powershell.exe
1992	powershell.exe
2356	powershell.exe
3768	powershell.exe
3968	powershell.exe
1412	powershell.exe
1080	powershell.exe
3944	powershell.exe
4012	powershell.exe
4980	powershell.exe
5376	OfficeClickToRun.exe
5904	OfficeClickToRun.exe
208	OfficeClickToRun.exe
4532	OfficeClickToRun.exe
3832	OfficeClickToRun.exe
6060	OfficeClickToRun.exe
4044	OfficeClickToRun.exe
1464	OfficeClickToRun.exe
5140	OfficeClickToRun.exe
3948	OfficeClickToRun.exe
3948	OfficeClickToRun.exe
100	OfficeClickToRun.exe
100	OfficeClickToRun.exe
4640	OfficeClickToRun.exe
4640	OfficeClickToRun.exe
444	OfficeClickToRun.exe
444	OfficeClickToRun.exe
6132	OfficeClickToRun.exe
6132	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	5376	OfficeClickToRun.exe
Token: SeDebugPrivilege	5904	OfficeClickToRun.exe
Token: SeDebugPrivilege	208	OfficeClickToRun.exe
Token: SeDebugPrivilege	4532	OfficeClickToRun.exe
Token: SeDebugPrivilege	3832	OfficeClickToRun.exe
Token: SeDebugPrivilege	6060	OfficeClickToRun.exe
Token: SeDebugPrivilege	4044	OfficeClickToRun.exe
Token: SeDebugPrivilege	1464	OfficeClickToRun.exe
Token: SeDebugPrivilege	5140	OfficeClickToRun.exe
Token: SeDebugPrivilege	3948	OfficeClickToRun.exe
Token: SeDebugPrivilege	100	OfficeClickToRun.exe
Token: SeDebugPrivilege	4640	OfficeClickToRun.exe
Token: SeDebugPrivilege	444	OfficeClickToRun.exe
Token: SeDebugPrivilege	6132	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4964	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	105
PID 4900 wrote to memory of 4964	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	105
PID 4900 wrote to memory of 4964	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	105
PID 4964 wrote to memory of 2308	4964	tmpE87E.tmp.exe	107
PID 4964 wrote to memory of 2308	4964	tmpE87E.tmp.exe	107
PID 4964 wrote to memory of 2308	4964	tmpE87E.tmp.exe	107
PID 2308 wrote to memory of 1944	2308	tmpE87E.tmp.exe	108
PID 2308 wrote to memory of 1944	2308	tmpE87E.tmp.exe	108
PID 2308 wrote to memory of 1944	2308	tmpE87E.tmp.exe	108
PID 1944 wrote to memory of 1160	1944	tmpE87E.tmp.exe	109
PID 1944 wrote to memory of 1160	1944	tmpE87E.tmp.exe	109
PID 1944 wrote to memory of 1160	1944	tmpE87E.tmp.exe	109
PID 1160 wrote to memory of 5108	1160	tmpE87E.tmp.exe	110
PID 1160 wrote to memory of 5108	1160	tmpE87E.tmp.exe	110
PID 1160 wrote to memory of 5108	1160	tmpE87E.tmp.exe	110
PID 1160 wrote to memory of 5108	1160	tmpE87E.tmp.exe	110
PID 1160 wrote to memory of 5108	1160	tmpE87E.tmp.exe	110
PID 1160 wrote to memory of 5108	1160	tmpE87E.tmp.exe	110
PID 1160 wrote to memory of 5108	1160	tmpE87E.tmp.exe	110
PID 4900 wrote to memory of 3120	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	112
PID 4900 wrote to memory of 3120	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	112
PID 4900 wrote to memory of 1080	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	113
PID 4900 wrote to memory of 1080	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	113
PID 4900 wrote to memory of 3944	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	114
PID 4900 wrote to memory of 3944	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	114
PID 4900 wrote to memory of 1052	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	115
PID 4900 wrote to memory of 1052	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	115
PID 4900 wrote to memory of 2356	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	116
PID 4900 wrote to memory of 2356	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	116
PID 4900 wrote to memory of 3968	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	117
PID 4900 wrote to memory of 3968	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	117
PID 4900 wrote to memory of 1412	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	118
PID 4900 wrote to memory of 1412	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	118
PID 4900 wrote to memory of 4980	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	119
PID 4900 wrote to memory of 4980	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	119
PID 4900 wrote to memory of 1992	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	120
PID 4900 wrote to memory of 1992	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	120
PID 4900 wrote to memory of 4012	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	121
PID 4900 wrote to memory of 4012	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	121
PID 4900 wrote to memory of 3768	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	122
PID 4900 wrote to memory of 3768	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	122
PID 4900 wrote to memory of 3244	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	133
PID 4900 wrote to memory of 3244	4900	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe	133
PID 3244 wrote to memory of 2252	3244	cmd.exe	136
PID 3244 wrote to memory of 2252	3244	cmd.exe	136
PID 3244 wrote to memory of 5376	3244	cmd.exe	139
PID 3244 wrote to memory of 5376	3244	cmd.exe	139
PID 5376 wrote to memory of 5536	5376	OfficeClickToRun.exe	141
PID 5376 wrote to memory of 5536	5376	OfficeClickToRun.exe	141
PID 5376 wrote to memory of 5612	5376	OfficeClickToRun.exe	142
PID 5376 wrote to memory of 5612	5376	OfficeClickToRun.exe	142
PID 5376 wrote to memory of 5720	5376	OfficeClickToRun.exe	143
PID 5376 wrote to memory of 5720	5376	OfficeClickToRun.exe	143
PID 5376 wrote to memory of 5720	5376	OfficeClickToRun.exe	143
PID 5720 wrote to memory of 5792	5720	tmp15D5.tmp.exe	145
PID 5720 wrote to memory of 5792	5720	tmp15D5.tmp.exe	145
PID 5720 wrote to memory of 5792	5720	tmp15D5.tmp.exe	145
PID 5720 wrote to memory of 5792	5720	tmp15D5.tmp.exe	145
PID 5720 wrote to memory of 5792	5720	tmp15D5.tmp.exe	145
PID 5720 wrote to memory of 5792	5720	tmp15D5.tmp.exe	145
PID 5720 wrote to memory of 5792	5720	tmp15D5.tmp.exe	145
PID 5536 wrote to memory of 5904	5536	WScript.exe	146
PID 5536 wrote to memory of 5904	5536	WScript.exe	146
PID 5904 wrote to memory of 6040	5904	OfficeClickToRun.exe	147

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe
"C:\Users\Admin\AppData\Local\Temp\b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4900
- C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:5108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxKS4C7dQ8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2252
- - C:\Windows\ShellComponents\OfficeClickToRun.exe
    "C:\Windows\ShellComponents\OfficeClickToRun.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5376
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d1e1dca-2a68-41e3-891c-7b79339816d9.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5536
    - - C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5904
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\456a4f08-93af-4060-8ee7-55633fb1fcac.vbs"
        6⤵
        
        PID:6040
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cbc5e54-c076-4224-9bf3-a4ccbe9067cb.vbs"
        8⤵
        
        PID:3528
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71e941d1-86e3-4f0c-b112-009f40a898a7.vbs"
        10⤵
        
        PID:3156
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3cc6c12-243d-43ec-93cc-a99375c2a1a8.vbs"
        12⤵
        
        PID:3096
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29b3f17a-a06d-4c50-9b8f-a3bf9d163695.vbs"
        14⤵
        
        PID:3616
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c2309e9-2583-4619-8e05-2137f0352325.vbs"
        16⤵
        
        PID:1964
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffdc0f11-3891-49a2-a704-1c40b220cc44.vbs"
        18⤵
        
        PID:1816
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dd8e951-985a-49b3-a067-292872ac96e4.vbs"
        20⤵
        
        PID:3668
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28221fac-3711-43f3-a9b6-334e09cc796b.vbs"
        22⤵
        
        PID:3144
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9df25370-7339-4f9f-96a4-47671fc5874a.vbs"
        24⤵
        
        PID:1812
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7830c491-346d-453e-8808-cde14781c17c.vbs"
        26⤵
        
        PID:6140
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e932f3a-78e2-40fe-8b4e-01ecc7aa80c6.vbs"
        28⤵
        
        PID:3664
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        
        C:\Windows\ShellComponents\OfficeClickToRun.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaf29fb0-8b5c-4185-986d-00af184c4f5b.vbs"
        30⤵
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26e85250-7259-4522-81a1-a1043aa971b3.vbs"
        30⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\tmp20A9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp20A9.tmp.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp20A9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp20A9.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b4e89cc-0f26-4be6-a198-6783727f6073.vbs"
        28⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmpEE4E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEE4E.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\tmpEE4E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEE4E.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:5936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4844e3b-dafa-4e6c-a273-7ca1baf2d2f1.vbs"
        26⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmpD1CD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD1CD.tmp.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        C:\Users\Admin\AppData\Local\Temp\tmpD1CD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD1CD.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:5788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a4d0707-9530-4f4e-b4a8-703a8a1d94e2.vbs"
        24⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp9FC1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9FC1.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\tmp9FC1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9FC1.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78976ecc-1590-4ed6-9bb0-80d2b38609c1.vbs"
        22⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp8275.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8275.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp8275.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8275.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e15ddc5-c5f5-4b82-90cd-6700f6c09269.vbs"
        20⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp6623.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6623.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp6623.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6623.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:5824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b92f403-c893-4e36-a95f-cca6b54eb269.vbs"
        18⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\tmp358D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp358D.tmp.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp358D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp358D.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp358D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp358D.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9547e988-982e-4bc7-9d50-3521fcb9340f.vbs"
        16⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp1563.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1563.tmp.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp1563.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1563.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp1563.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1563.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c50660e-6d5d-40ca-815d-d37f46ddae73.vbs"
        14⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmpF874.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF874.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\tmpF874.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF874.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c5c5ce9-37e7-41b9-8e19-5b5a58df15df.vbs"
        12⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\tmpC59D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC59D.tmp.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\tmpC59D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC59D.tmp.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\tmpC59D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC59D.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\tmpC59D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC59D.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:5828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94000a0e-90bc-4938-acb7-16052a10a6d8.vbs"
        10⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\tmp9507.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9507.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp9507.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9507.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9591c905-2693-4471-a214-22bc2ba33140.vbs"
        8⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp63E5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp63E5.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp63E5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp63E5.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4384
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18ca3048-0710-4fd8-a30d-b2a296095383.vbs"
        6⤵
        
        PID:6096
      - C:\Users\Admin\AppData\Local\Temp\tmp335F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp335F.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\tmp335F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp335F.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:652
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8734c50c-257d-4c2a-bfc4-9a1c7c9da9e5.vbs"
      4⤵
      PID:5612
  - - C:\Users\Admin\AppData\Local\Temp\tmp15D5.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp15D5.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5720
    - - C:\Users\Admin\AppData\Local\Temp\tmp15D5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp15D5.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:5792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellComponents\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\ShellComponents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\29b3f17a-a06d-4c50-9b8f-a3bf9d163695.vbs

Filesize
723B

MD5
3fecf1950a7c47902b9be88c347aeb3f

SHA1
c0d5d72a6f24c39a28093ce862eec6a9dbc3ee4c

SHA256
aabbf62e4ae7b4fd38244b1472a939a822ddaf49393cafa0c5491404d93214e9

SHA512
d04537fc0717bc97fbf5c758a696991db289fa80c9e955b4293be94e6f6605c47f0166c05a46bb5449b0f5103176902dc2769cb5b8288a05d8540bd6433629e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\456a4f08-93af-4060-8ee7-55633fb1fcac.vbs

Filesize
723B

MD5
8e123ab3972c14ec40a8cff4e37cfa58

SHA1
9e19a9b0a8474028e5010aaf673109917d91e36e

SHA256
7a09f2d61191053c1cb07569105fadaebf4f9c8e37fc28d90f9527528fe76b53

SHA512
52926241a91f85e8a12b2095e0fd57428617413d360f6d6c2a320bb89239b5c89a01d6da065df5266ed7cbb59cb691bae93245fe7ff8bfc2bee95dc6e8fc2b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d1e1dca-2a68-41e3-891c-7b79339816d9.vbs

Filesize
723B

MD5
1e46ac32ef0c1964871389a705ce9317

SHA1
6e52ced8631469973158fc63ac57fa04199e00de

SHA256
b57073a551acca217a2ab0a43c17f141684e2b375c13fcac1770697f92e1afd8

SHA512
7800d60c1182cdde7af7b8e3604dc28f63c75f90dfd76eba476f3f2c4dbbba31a6dd1827d488fee65bd8271050b87724a7fa4d1e31d96114e5490923e5a37616

Download Submit
C:\Users\Admin\AppData\Local\Temp\71e941d1-86e3-4f0c-b112-009f40a898a7.vbs

Filesize
723B

MD5
44dbb19c44f5087026ef3270156e7e0e

SHA1
32b389f6de2f0f6cab50e4c2daa9329735eb9632

SHA256
49b6b8ccf26b4a38bf270ef21bb3d48ea1b25a1e035aa84270946bda4d011671

SHA512
01d4f0306b59e4568fed484fb37f06cada859c1d4d6f1eb74165be3d6910d31b2d2081f5200e7e727ff0bd740297fda5e500404ec6af28b3d75910b381656993

Download Submit
C:\Users\Admin\AppData\Local\Temp\7cbc5e54-c076-4224-9bf3-a4ccbe9067cb.vbs

Filesize
722B

MD5
4d200919e492cecd0d36072a51c4c945

SHA1
3bdcb32f56a9047bbcf8e0e472116b0db341e905

SHA256
808face9af3bc51d02dafead05a8691fc4b08d8fda35471ed491ee920e63648c

SHA512
2842173218b11bde1e1fba480b515faa3dc3dc41d0f3995d643ba625358e1f65d6db6ef2bc352993a6a1b4fa9ef2e5894a512b485271d4701bb0e4ed69d52f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\8734c50c-257d-4c2a-bfc4-9a1c7c9da9e5.vbs

Filesize
499B

MD5
e63364b60e6e4f1898b5c015ea6cd818

SHA1
5def737f026d9a9c819a1b12cdf3ac161e45a5c2

SHA256
71ec557022957f9d078ba250d276bba0e36721e10cce37fe477719cfe05354e7

SHA512
157cb95504d13409778ad8a09ee1e54f9fae534b789b82000e375f311767be835a8cbe9bc1c1f64a81ed008de9deb39ae9e6b8239a4bb5ef356e607b0b3632da

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcictv5p.vwt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3cc6c12-243d-43ec-93cc-a99375c2a1a8.vbs

Filesize
723B

MD5
97bb4ef25a118da975fa40153a549fe3

SHA1
6f5e043c2c912e89c8f2000ccaf272198db17af7

SHA256
e15ce987c11034f11b8e45461d3e368a1188a9cf1698b1942edcad0817a301ae

SHA512
c6c61ebeda4873f13c9b1f2b50b8fe23cc5f7366a3cb97a3cabef576507dcc7d2c167cdac99d880eb6034f5e8dd3b6bcb0ed4f3550b34642614f4d25186b7d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxKS4C7dQ8.bat

Filesize
212B

MD5
ddf9bcc3405ecb769ddced00b68e5b88

SHA1
14898d3ac403542ed9cb8dc1575802fcf8a4fad7

SHA256
0b170c2d4a4d9466d7b8571c7aad1215ab471405d446564f5c75656107e71555

SHA512
d35a24ba95557b9d6111ec87458bf723ca1efa2dd4c6ef415c7cbe15a944073e9a2232fd141919f160ce266d7c1a0ac2eef0dbbe67df4138e54d6ccf6b9f4db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE87E.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\bcastdvr\sppsvc.exe

Filesize
4.9MB

MD5
dc0f33684dad2fbdd9801489c2a24150

SHA1
6c2f859577d7f959f4f0056c9f5a6b2c22ef3333

SHA256
b6c7bfb4ebe13292563cfc2616eee93f4261add47186b0341e332917d13c7c55

SHA512
e333c6592b0bb816c1a5c1baa5ea22249eed4fcad54dc5c3e898df00e36390ab025d163136f41ad4a0bb8cc933159b93ad0d15e100ba7dcd3248cfd709152650

Download Submit
memory/100-435-0x000000001BEC0000-0x000000001BED2000-memory.dmp

Filesize
72KB

Download
memory/1464-384-0x000000001C630000-0x000000001C642000-memory.dmp

Filesize
72KB

Download
memory/1992-99-0x00000257F1FA0000-0x00000257F1FC2000-memory.dmp

Filesize
136KB

Download
memory/3832-312-0x000000001BE80000-0x000000001BE92000-memory.dmp

Filesize
72KB

Download
memory/4900-11-0x000000001BBD0000-0x000000001BBE2000-memory.dmp

Filesize
72KB

Download
memory/4900-9-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/4900-17-0x000000001BC20000-0x000000001BC28000-memory.dmp

Filesize
32KB

Download
memory/4900-13-0x000000001BBE0000-0x000000001BBEA000-memory.dmp

Filesize
40KB

Download
memory/4900-14-0x000000001BBF0000-0x000000001BBFE000-memory.dmp

Filesize
56KB

Download
memory/4900-15-0x000000001BC00000-0x000000001BC0E000-memory.dmp

Filesize
56KB

Download
memory/4900-12-0x000000001C7C0000-0x000000001CCE8000-memory.dmp

Filesize
5.2MB

Download
memory/4900-16-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/4900-10-0x000000001BA60000-0x000000001BA6A000-memory.dmp

Filesize
40KB

Download
memory/4900-5-0x000000001C240000-0x000000001C290000-memory.dmp

Filesize
320KB

Download
memory/4900-8-0x000000001BBB0000-0x000000001BBC6000-memory.dmp

Filesize
88KB

Download
memory/4900-93-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download
memory/4900-6-0x0000000002E10000-0x0000000002E18000-memory.dmp

Filesize
32KB

Download
memory/4900-7-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/4900-4-0x00000000014F0000-0x000000000150C000-memory.dmp

Filesize
112KB

Download
memory/4900-2-0x000000001BA80000-0x000000001BBAE000-memory.dmp

Filesize
1.2MB

Download
memory/4900-18-0x000000001C290000-0x000000001C29C000-memory.dmp

Filesize
48KB

Download
memory/4900-3-0x00007FFA5E940000-0x00007FFA5F401000-memory.dmp

Filesize
10.8MB

Download
memory/4900-1-0x00000000007F0000-0x0000000000CE4000-memory.dmp

Filesize
5.0MB

Download
memory/4900-0-0x00007FFA5E943000-0x00007FFA5E945000-memory.dmp

Filesize
8KB

Download
memory/5108-64-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download