colibri | 690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073

Analysis

max time kernel
119s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Size

4.9MB
MD5

005277f6397a0a43ce9eca2c2910b750
SHA1

ac5f700488ba1ca531cb528e718412473eb7b948
SHA256

690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073
SHA512

21c819d180a218e375928e76fca735ee4746d803aca4cae04a5f82f9dcdd97510e1b88e9fb789f57a37ae904e38b40e257b0e03f785dfba8931f85c4b6d29215
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		452	schtasks.exe
		4488	schtasks.exe
		4128	schtasks.exe
		4672	schtasks.exe
		1616	schtasks.exe
		4584	schtasks.exe
		4632	schtasks.exe
		2040	schtasks.exe
		5044	schtasks.exe
		2920	schtasks.exe
		1908	schtasks.exe
		4072	schtasks.exe
		2868	schtasks.exe
		3224	schtasks.exe
		1472	schtasks.exe
		4240	schtasks.exe
		4720	schtasks.exe
		2552	schtasks.exe
		2432	schtasks.exe
		1960	schtasks.exe
		4704	schtasks.exe
		2068	schtasks.exe
		1888	schtasks.exe
		5084	schtasks.exe
		2332	schtasks.exe
File created	C:\Program Files (x86)\Google\9e8d7a4ca61bd9		690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
		4512	schtasks.exe
		4428	schtasks.exe
		3700	schtasks.exe
		1492	schtasks.exe
		5008	schtasks.exe
		2624	schtasks.exe
		3820	schtasks.exe
		3008	schtasks.exe
		1500	schtasks.exe
		1464	schtasks.exe
		4780	schtasks.exe
		3628	schtasks.exe
		2352	schtasks.exe
		4316	schtasks.exe
		1940	schtasks.exe
		2276	schtasks.exe
		3552	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\5940a34987c991		690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
		1392	schtasks.exe
		2536	schtasks.exe
		2864	schtasks.exe
		3248	schtasks.exe
		2520	schtasks.exe
		2240	schtasks.exe
		780	schtasks.exe
		3540	schtasks.exe
		3612	schtasks.exe
		4964	schtasks.exe
		4640	schtasks.exe
		4900	schtasks.exe
		1472	schtasks.exe
		2988	schtasks.exe
		3012	schtasks.exe
		5040	schtasks.exe
		4628	schtasks.exe
		3396	schtasks.exe
		4560	schtasks.exe
		2008	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3868	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	3868	schtasks.exe	86

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4976-2-0x000000001BE50000-0x000000001BF7E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4596	powershell.exe
3516	powershell.exe
5116	powershell.exe
344	powershell.exe
2060	powershell.exe
3392	powershell.exe
4284	powershell.exe
1944	powershell.exe
3252	powershell.exe
3476	powershell.exe
3176	powershell.exe
2740	powershell.exe
4324	powershell.exe
1528	powershell.exe
4132	powershell.exe
2388	powershell.exe
4816	powershell.exe
4816	powershell.exe
4780	powershell.exe
4852	powershell.exe
1976	powershell.exe
1908	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 39 IoCs

pid	Process
4032	tmp85BE.tmp.exe
5040	tmp85BE.tmp.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3188	tmpB035.tmp.exe
4012	tmpB035.tmp.exe
5276	services.exe
5680	tmpF1E2.tmp.exe
5744	tmpF1E2.tmp.exe
6100	services.exe
448	tmp219C.tmp.exe
1452	tmp219C.tmp.exe
2876	services.exe
2572	tmp50AB.tmp.exe
4704	tmp50AB.tmp.exe
5128	tmp50AB.tmp.exe
5232	services.exe
5772	tmp8102.tmp.exe
2428	tmp8102.tmp.exe
5696	services.exe
6108	tmp9CB8.tmp.exe
4700	tmp9CB8.tmp.exe
5188	services.exe
3476	tmpB726.tmp.exe
4480	tmpB726.tmp.exe
1136	services.exe
2500	tmpD210.tmp.exe
1764	tmpD210.tmp.exe
5284	services.exe
5984	tmp14E.tmp.exe
6048	tmp14E.tmp.exe
1856	tmp14E.tmp.exe
2264	services.exe
5008	tmp1C39.tmp.exe
4896	tmp1C39.tmp.exe
2008	services.exe
5192	tmp3762.tmp.exe
5032	tmp3762.tmp.exe
2592	tmp3762.tmp.exe
1396	services.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 4032 set thread context of 5040	4032	tmp85BE.tmp.exe	108
PID 3188 set thread context of 4012	3188	tmpB035.tmp.exe	202
PID 5680 set thread context of 5744	5680	tmpF1E2.tmp.exe	238
PID 448 set thread context of 1452	448	tmp219C.tmp.exe	249
PID 4704 set thread context of 5128	4704	tmp50AB.tmp.exe	259
PID 5772 set thread context of 2428	5772	tmp8102.tmp.exe	269
PID 6108 set thread context of 4700	6108	tmp9CB8.tmp.exe	278
PID 3476 set thread context of 4480	3476	tmpB726.tmp.exe	288
PID 2500 set thread context of 1764	2500	tmpD210.tmp.exe	297
PID 6048 set thread context of 1856	6048	tmp14E.tmp.exe	311
PID 5008 set thread context of 4896	5008	tmp1C39.tmp.exe	325
PID 5032 set thread context of 2592	5032	tmp3762.tmp.exe	336

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\smss.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files\Microsoft Office 15\69ddcba757bf72	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files\Google\conhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Internet Explorer\dllhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files\Google\088424020bedd6	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\services.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Windows Mail\c5b4cb5e9653cc	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files\WindowsApps\services.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\dllhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\dllhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Windows NT\5940a34987c991	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Windows Mail\services.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Windows Sidebar\5940a34987c991	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\5940a34987c991	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files\Google\conhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Google\RCX803D.tmp	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX8B20.tmp	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files\ModifiableWindowsApps\smss.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\backgroundTaskHost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Windows NT\dllhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Google\RuntimeBroker.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\dllhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\backgroundTaskHost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Google\RuntimeBroker.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Google\9e8d7a4ca61bd9	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Internet Explorer\5940a34987c991	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\eddb19405b7ce1	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Program Files (x86)\Windows Sidebar\dllhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\smss.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\uk-UA\29c1c3cc0f7685	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Windows\it-IT\services.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File opened for modification	C:\Windows\uk-UA\unsecapp.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Windows\it-IT\services.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Windows\it-IT\c5b4cb5e9653cc	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Windows\OCR\fr-fr\OfficeClickToRun.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
File created	C:\Windows\uk-UA\unsecapp.exe	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3762.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1C39.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF1E2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8102.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp85BE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9CB8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp14E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB035.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp50AB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp50AB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB726.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD210.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp14E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3762.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp219C.tmp.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3476	schtasks.exe
3548	schtasks.exe
4964	schtasks.exe
4488	schtasks.exe
2920	schtasks.exe
3540	schtasks.exe
2276	schtasks.exe
1888	schtasks.exe
4428	schtasks.exe
2704	schtasks.exe
1960	schtasks.exe
4632	schtasks.exe
1076	schtasks.exe
4640	schtasks.exe
3700	schtasks.exe
4188	schtasks.exe
4072	schtasks.exe
4316	schtasks.exe
3552	schtasks.exe
4128	schtasks.exe
4900	schtasks.exe
3396	schtasks.exe
2332	schtasks.exe
1492	schtasks.exe
5008	schtasks.exe
4672	schtasks.exe
3628	schtasks.exe
3168	schtasks.exe
1500	schtasks.exe
2432	schtasks.exe
3612	schtasks.exe
3748	schtasks.exe
2624	schtasks.exe
2008	schtasks.exe
2552	schtasks.exe
2352	schtasks.exe
2068	schtasks.exe
780	schtasks.exe
1464	schtasks.exe
3012	schtasks.exe
1628	schtasks.exe
2520	schtasks.exe
4900	schtasks.exe
4560	schtasks.exe
1616	schtasks.exe
2864	schtasks.exe
4628	schtasks.exe
3248	schtasks.exe
452	schtasks.exe
4240	schtasks.exe
1940	schtasks.exe
2040	schtasks.exe
1472	schtasks.exe
2536	schtasks.exe
4584	schtasks.exe
1392	schtasks.exe
4780	schtasks.exe
2988	schtasks.exe
1908	schtasks.exe
4704	schtasks.exe
5040	schtasks.exe
948	schtasks.exe
3008	schtasks.exe
1472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3392	powershell.exe
4284	powershell.exe
4284	powershell.exe
3392	powershell.exe
2060	powershell.exe
2060	powershell.exe
1528	powershell.exe
1528	powershell.exe
1944	powershell.exe
1944	powershell.exe
4324	powershell.exe
4324	powershell.exe
3252	powershell.exe
3252	powershell.exe
4780	powershell.exe
4780	powershell.exe
4596	powershell.exe
4596	powershell.exe
4816	powershell.exe
4816	powershell.exe
344	powershell.exe
344	powershell.exe
4780	powershell.exe
1944	powershell.exe
3252	powershell.exe
1528	powershell.exe
4284	powershell.exe
3392	powershell.exe
2060	powershell.exe
4596	powershell.exe
4324	powershell.exe
4816	powershell.exe
344	powershell.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
1908	powershell.exe
1908	powershell.exe
3476	powershell.exe
3476	powershell.exe
4132	powershell.exe
4132	powershell.exe
1976	powershell.exe
1976	powershell.exe
2388	powershell.exe
2388	powershell.exe
3176	powershell.exe
3176	powershell.exe
4852	powershell.exe
4852	powershell.exe
2740	powershell.exe
2740	powershell.exe
3476	powershell.exe
4816	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	5276	services.exe
Token: SeDebugPrivilege	6100	services.exe
Token: SeDebugPrivilege	2876	services.exe
Token: SeDebugPrivilege	5232	services.exe
Token: SeDebugPrivilege	5696	services.exe
Token: SeDebugPrivilege	5188	services.exe
Token: SeDebugPrivilege	1136	services.exe
Token: SeDebugPrivilege	5284	services.exe
Token: SeDebugPrivilege	2264	services.exe
Token: SeDebugPrivilege	2008	services.exe
Token: SeDebugPrivilege	1396	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 4032	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	106
PID 4976 wrote to memory of 4032	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	106
PID 4976 wrote to memory of 4032	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	106
PID 4032 wrote to memory of 5040	4032	tmp85BE.tmp.exe	108
PID 4032 wrote to memory of 5040	4032	tmp85BE.tmp.exe	108
PID 4032 wrote to memory of 5040	4032	tmp85BE.tmp.exe	108
PID 4032 wrote to memory of 5040	4032	tmp85BE.tmp.exe	108
PID 4032 wrote to memory of 5040	4032	tmp85BE.tmp.exe	108
PID 4032 wrote to memory of 5040	4032	tmp85BE.tmp.exe	108
PID 4032 wrote to memory of 5040	4032	tmp85BE.tmp.exe	108
PID 4976 wrote to memory of 344	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	112
PID 4976 wrote to memory of 344	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	112
PID 4976 wrote to memory of 2060	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	113
PID 4976 wrote to memory of 2060	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	113
PID 4976 wrote to memory of 1528	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	114
PID 4976 wrote to memory of 1528	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	114
PID 4976 wrote to memory of 4284	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	115
PID 4976 wrote to memory of 4284	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	115
PID 4976 wrote to memory of 4324	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	116
PID 4976 wrote to memory of 4324	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	116
PID 4976 wrote to memory of 4816	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	117
PID 4976 wrote to memory of 4816	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	117
PID 4976 wrote to memory of 3392	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	118
PID 4976 wrote to memory of 3392	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	118
PID 4976 wrote to memory of 4596	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	120
PID 4976 wrote to memory of 4596	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	120
PID 4976 wrote to memory of 4780	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	121
PID 4976 wrote to memory of 4780	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	121
PID 4976 wrote to memory of 1944	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	126
PID 4976 wrote to memory of 1944	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	126
PID 4976 wrote to memory of 3252	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	130
PID 4976 wrote to memory of 3252	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	130
PID 4976 wrote to memory of 4592	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	133
PID 4976 wrote to memory of 4592	4976	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	133
PID 4592 wrote to memory of 3552	4592	cmd.exe	136
PID 4592 wrote to memory of 3552	4592	cmd.exe	136
PID 4592 wrote to memory of 3988	4592	cmd.exe	144
PID 4592 wrote to memory of 3988	4592	cmd.exe	144
PID 3988 wrote to memory of 3188	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	200
PID 3988 wrote to memory of 3188	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	200
PID 3988 wrote to memory of 3188	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	200
PID 3188 wrote to memory of 4012	3188	tmpB035.tmp.exe	202
PID 3188 wrote to memory of 4012	3188	tmpB035.tmp.exe	202
PID 3188 wrote to memory of 4012	3188	tmpB035.tmp.exe	202
PID 3188 wrote to memory of 4012	3188	tmpB035.tmp.exe	202
PID 3188 wrote to memory of 4012	3188	tmpB035.tmp.exe	202
PID 3188 wrote to memory of 4012	3188	tmpB035.tmp.exe	202
PID 3188 wrote to memory of 4012	3188	tmpB035.tmp.exe	202
PID 3988 wrote to memory of 3476	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	204
PID 3988 wrote to memory of 3476	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	204
PID 3988 wrote to memory of 4132	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	205
PID 3988 wrote to memory of 4132	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	205
PID 3988 wrote to memory of 1908	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	206
PID 3988 wrote to memory of 1908	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	206
PID 3988 wrote to memory of 1976	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	207
PID 3988 wrote to memory of 1976	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	207
PID 3988 wrote to memory of 4816	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	209
PID 3988 wrote to memory of 4816	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	209
PID 3988 wrote to memory of 2740	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	210
PID 3988 wrote to memory of 2740	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	210
PID 3988 wrote to memory of 2388	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	212
PID 3988 wrote to memory of 2388	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	212
PID 3988 wrote to memory of 3176	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	214
PID 3988 wrote to memory of 3176	3988	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe	214

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
"C:\Users\Admin\AppData\Local\Temp\690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4976
- C:\Users\Admin\AppData\Local\Temp\tmp85BE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp85BE.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\tmp85BE.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp85BE.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gkLFIn4v3n.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3552
- - C:\Users\Admin\AppData\Local\Temp\690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe
    "C:\Users\Admin\AppData\Local\Temp\690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB035.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ucivtzbkBV.bat"
      4⤵
      PID:4176
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:344
    - - C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5276
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3d58336-e13c-436f-8958-428fec8a68ff.vbs"
        6⤵
        
        PID:5456
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14f76401-4161-46b3-9d7c-10a305979987.vbs"
        8⤵
        
        PID:5164
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d96055cf-0ff2-440c-8a54-e8f200a5d192.vbs"
        10⤵
        
        PID:2840
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0754d94f-6349-438f-b9e0-0dfd6089374f.vbs"
        12⤵
        
        PID:5484
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b36623a-cb67-492f-9013-92c843684ece.vbs"
        14⤵
        
        PID:5312
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c034deda-1396-4de9-940c-fd0dbb1f2f46.vbs"
        16⤵
        
        PID:1384
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\619f0a1d-45c6-4c39-8939-102f4f595d97.vbs"
        18⤵
        
        PID:1404
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d22d7803-3e9f-4dca-91a8-f5b4e674d8bc.vbs"
        20⤵
        
        PID:244
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4baede86-f90f-4dce-a770-c1cce83b4f52.vbs"
        22⤵
        
        PID:5188
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22e23072-3e98-4cd7-bd1c-6c9aececc302.vbs"
        24⤵
        
        PID:4128
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\209458dc-64d3-4df1-b033-64f03b195355.vbs"
        26⤵
        
        PID:3276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0751d844-a675-4ff0-9e5f-16b56970ca3b.vbs"
        26⤵
        
        PID:5336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c447ba33-84f2-43ae-8c83-b0ae71f81ae9.vbs"
        24⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\tmp3762.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3762.tmp.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\tmp3762.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3762.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp3762.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3762.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20bde167-d06f-420f-93b0-d7d491acc010.vbs"
        22⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp1C39.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1C39.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp1C39.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1C39.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1fd7f0f-4155-44b8-b357-a2ff6538d0ed.vbs"
        20⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\tmp14E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp14E.tmp.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5984
        
        C:\Users\Admin\AppData\Local\Temp\tmp14E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp14E.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6048
        
        C:\Users\Admin\AppData\Local\Temp\tmp14E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp14E.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96a993a3-8f88-4127-aba2-63150e806925.vbs"
        18⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\tmpD210.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD210.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmpD210.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD210.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d592a755-3370-4048-a8a3-9c46bd44aba6.vbs"
        16⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123cc68c-a857-4a6c-8b47-d64aa9e8d6bd.vbs"
        14⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\tmp9CB8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9CB8.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\tmp9CB8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9CB8.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22f459bf-28a9-441b-b592-f349021577dd.vbs"
        12⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\tmp8102.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8102.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\tmp8102.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8102.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9fc6177-4c39-4b5c-89c9-4a1acf0460c6.vbs"
        10⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp50AB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp50AB.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\tmp50AB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp50AB.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp50AB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp50AB.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:5128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3bd0939-1705-44c8-8f66-1a3a7699421b.vbs"
        8⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp219C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp219C.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp219C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp219C.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:1452
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8e9d59d-2a1d-46e1-ae88-2d01395a3ab4.vbs"
        6⤵
        
        PID:5496
      - C:\Users\Admin\AppData\Local\Temp\tmpF1E2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF1E2.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\tmpF1E2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF1E2.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:5744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Public\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\uk-UA\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\uk-UA\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
4.9MB

MD5
005277f6397a0a43ce9eca2c2910b750

SHA1
ac5f700488ba1ca531cb528e718412473eb7b948

SHA256
690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073

SHA512
21c819d180a218e375928e76fca735ee4746d803aca4cae04a5f82f9dcdd97510e1b88e9fb789f57a37ae904e38b40e257b0e03f785dfba8931f85c4b6d29215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\690aa6b50c9b49879ee982069ca5dddb52d11256ed82b3bd011d34926a49b073N.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
36c0eb4cc9fdffc5d2d368d7231ad514

SHA1
ce52fda315ce5c60a0af506f87edb0c2b3fdebcc

SHA256
f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b

SHA512
4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
caae66b2d6030f85188e48e4ea3a9fa6

SHA1
108425bd97144fa0f92ff7b2109fec293d14a461

SHA256
a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d

SHA512
189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9006afb2f47b3bb7d3669c647651e29c

SHA1
cdc0d7654be8e516df2c36accd9b52eac1f00ffd

SHA256
a025443b35555d64473b1ef01194239e808c49b47c924b99b942514036901302

SHA512
f2e72bbecfa823415bd0be7a091b1272e10e11059a71baf115780aa7ce3e694d114f6642de161ccba24e2182765b8188cc6dbb804fd07e318af9e1917549841c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d7e01f2da5faf06203d0bdcf32f2aee

SHA1
972128bc0896422301531607773f6af989535547

SHA256
57df11f5726f22f6b65380a63c6ddeeced49bd543781cf05428932500c6e2cef

SHA512
2d446d1ed39875581a11fc433c9fd13c7b5ad4133c50f93cfc18e355339c1dd8937058864250c9e3d659049f4feb8cf8e1ce3fd90716eb5c9b8cd309b9ccc16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc113211a3e72478c93989952aee3251

SHA1
5eeb2f2e4642ef5f147dd118742ea3c3dcf0cd16

SHA256
c6059355503eca5b35ac8446442eb5031ab610b7353cd2e8a3cf07dc99469fae

SHA512
c0748cc3a4b701f5cefeeaf9ac1bdbae28cfcf1dad8e89a2db2c756b908011ee8e945b6d02bef816763fc5acc38a72657316f5cd56c62342c8e779a50f4f4460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
816d03b14553d8d2cd19771bf135873f

SHA1
3efdd566ca724299705e7c30d4cbb84349b7a1ae

SHA256
70d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304

SHA512
365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0754d94f-6349-438f-b9e0-0dfd6089374f.vbs

Filesize
724B

MD5
6157f432fae2ded322eeddf83b2d7bfc

SHA1
37b9f29522c810d4ef8cb8fb54a7112d816a5211

SHA256
db3c1b82b4520d7ddad0a84a4aef05686f4efca783c00d75a6e797429b2d715e

SHA512
fd0b9a0b3b985d010a180a738df86e58b107c5266192d6361a6763aa6994798af411a1b39ff920cefc563c49ec93193fb14ad2617005275d779d156d07c355c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\14f76401-4161-46b3-9d7c-10a305979987.vbs

Filesize
724B

MD5
dff0ad4dcafc56e133f71dd7b1616f51

SHA1
67f7a1c026e949f9e26485454c49c2a318739c87

SHA256
6f084e92f5ff68739b57801e9c4a902619eb5136df5bf6baee250cd2ad2f34d3

SHA512
6e50d04f77ce1a4026df91c462a358f3007026a2b7d4d6a1998aa7321caecee08c3c28df97a5a2c498a8075ed72d404fe7c4494d538afc0302c34748bc6faba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hq4jlldz.c3s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96055cf-0ff2-440c-8a54-e8f200a5d192.vbs

Filesize
724B

MD5
7a6e40d7aa824bc98e3602b3085dd3e4

SHA1
00916721c53da2a526b4a9f64ec3e68a0deb15fe

SHA256
6c96ba9b0b75aa4603f1ba7c770fafeed736e4fabd615577a6117f66fcd8fe41

SHA512
3b2fb568ca8c90e1168bcc79173cf580a36ed225b62ef154e03c8a84e116c9fe2a552d896a9c82e935bb0f4a3b52d607d852325fbaad4da9ea26e1b8b422551a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8e9d59d-2a1d-46e1-ae88-2d01395a3ab4.vbs

Filesize
500B

MD5
04440e5fdb9357b3b296e11d5d4687da

SHA1
5831b7e7c912a3f4bcacd312b75a196aeae6ed6e

SHA256
9fac982a947dc0d04f642e58100504c9f3f409213517ab6e6001d6626c30f0c3

SHA512
49d6611128ec92e2a6f3ade89d8a97902bcc74bf416565bb8ca543935b55859585cf2db9b902fddacd95d36da585097c407730335c138375f1f3714f362b4cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3d58336-e13c-436f-8958-428fec8a68ff.vbs

Filesize
724B

MD5
834e29b567bcfbae0609232e31a21aa4

SHA1
3ccce77c7d26f4b3a347261df31014c19153bb18

SHA256
0fbca3d20679ad70190fb2a873b78f64a7e532220cca3310545387f0761b6325

SHA512
ca510c0833a2838027a80f9b3c161642e76731bdeafd1d939cf7f336f30284142f82131a32a5cbd934be47606c6140807d2ab1a0389eb35a3defabeef788eede

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkLFIn4v3n.bat

Filesize
268B

MD5
ad8e2d3e220b9708ccedd568e63ac57c

SHA1
6052807827a4234d201bedcc72d4675d1645107f

SHA256
8d9c28da50cb9fd12b2fa7ddaf3e5226d18b174bd72326e234fb9ad7aae4df47

SHA512
d01ea81639c9990c9caac3e16545b954dde296d0817b36fa51c6afffa6c084bc56862ebbf1887b54367fa8eb51231717666b6e0e4f99b777104a7fe8a9a89887

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85BE.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucivtzbkBV.bat

Filesize
213B

MD5
6801bfd16f8e90f1139d149f42109fc5

SHA1
b94c149bc556a7cb9abdf1cc0079b2e36b3a13d0

SHA256
a26b212da9893837cf525023f9b80157f01d5847d1b64df36b77984a7f13c078

SHA512
126b72242e5efb534fa2769e1bbfa8af7cb0037c1d38ab6546c921718bd12eaff48ad2d26a44a23d652fb494f158d6c710f4e5b53109da95e391390cf744da8f

Download Submit
C:\Users\Default User\e1ef82546f0b02

Filesize
16B

MD5
3e9bf51db5a45710f941c50167d101e5

SHA1
b958ca002a104df196f4dade7259934958fbfad3

SHA256
0e0a8d949f5f315efd83149561e226eec2cfe5a0bcc44043df11b4e4e59f8f62

SHA512
b99359fb785e61099e8ccb1f615d19d69fe6e33e7299b79953dabe96949a86db6c300b8f56e06f89f65d0de483dd9164d6663a0efe0b2c4e238e036696343d34

Download Submit
memory/3988-219-0x000000001C6D0000-0x000000001C6E2000-memory.dmp

Filesize
72KB

Download
memory/4284-103-0x0000015CE8150000-0x0000015CE8172000-memory.dmp

Filesize
136KB

Download
memory/4976-10-0x0000000003250000-0x000000000325A000-memory.dmp

Filesize
40KB

Download
memory/4976-16-0x000000001BDE0000-0x000000001BDE8000-memory.dmp

Filesize
32KB

Download
memory/4976-0-0x00007FFED1093000-0x00007FFED1095000-memory.dmp

Filesize
8KB

Download
memory/4976-9-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/4976-11-0x0000000003260000-0x0000000003272000-memory.dmp

Filesize
72KB

Download
memory/4976-17-0x000000001BDF0000-0x000000001BDF8000-memory.dmp

Filesize
32KB

Download
memory/4976-14-0x000000001BDC0000-0x000000001BDCE000-memory.dmp

Filesize
56KB

Download
memory/4976-15-0x000000001BDD0000-0x000000001BDDE000-memory.dmp

Filesize
56KB

Download
memory/4976-13-0x0000000003270000-0x000000000327A000-memory.dmp

Filesize
40KB

Download
memory/4976-12-0x000000001CAD0000-0x000000001CFF8000-memory.dmp

Filesize
5.2MB

Download
memory/4976-1-0x00000000009A0000-0x0000000000E94000-memory.dmp

Filesize
5.0MB

Download
memory/4976-102-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download
memory/4976-18-0x000000001BE00000-0x000000001BE0C000-memory.dmp

Filesize
48KB

Download
memory/4976-8-0x0000000003220000-0x0000000003236000-memory.dmp

Filesize
88KB

Download
memory/4976-5-0x000000001BD70000-0x000000001BDC0000-memory.dmp

Filesize
320KB

Download
memory/4976-7-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/4976-6-0x0000000003200000-0x0000000003208000-memory.dmp

Filesize
32KB

Download
memory/4976-4-0x0000000003090000-0x00000000030AC000-memory.dmp

Filesize
112KB

Download
memory/4976-3-0x00007FFED1090000-0x00007FFED1B51000-memory.dmp

Filesize
10.8MB

Download
memory/4976-2-0x000000001BE50000-0x000000001BF7E000-memory.dmp

Filesize
1.2MB

Download
memory/5040-70-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download