colibri | c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Size

4.9MB
MD5

6980bcd5d7d665f70f434120a1d20549
SHA1

8104f0c2f92ecb1ab9c6700f14d56059a93a9465
SHA256

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16
SHA512

2eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2648	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2648	schtasks.exe

UAC bypass 3 TTPs 48 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exec200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4520-2-0x000000001BAB0000-0x000000001BBDE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3108	powershell.exe
1792	powershell.exe
4764	powershell.exe
1028	powershell.exe
2472	powershell.exe
4412	powershell.exe
1752	powershell.exe
2824	powershell.exe
4004	powershell.exe
3432	powershell.exe
2968	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exec200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 49 IoCs

Processes:

tmpBC8C.tmp.exetmpBC8C.tmp.exesmss.exetmpD978.tmp.exetmpD978.tmp.exetmpD978.tmp.exesmss.exetmpCAD.tmp.exetmpCAD.tmp.exesmss.exetmp28D0.tmp.exetmp28D0.tmp.exesmss.exetmp44C4.tmp.exetmp44C4.tmp.exesmss.exetmp605B.tmp.exetmp605B.tmp.exesmss.exetmp7B65.tmp.exetmp7B65.tmp.exesmss.exetmpAB8D.tmp.exetmpAB8D.tmp.exesmss.exetmpDB57.tmp.exetmpDB57.tmp.exesmss.exetmpA95.tmp.exetmpA95.tmp.exesmss.exetmp2560.tmp.exetmp2560.tmp.exesmss.exesmss.exetmp6F2B.tmp.exetmp6F2B.tmp.exesmss.exetmp8B00.tmp.exetmp8B00.tmp.exetmp8B00.tmp.exesmss.exetmpBA2E.tmp.exetmpBA2E.tmp.exesmss.exetmpE8EF.tmp.exetmpE8EF.tmp.exetmpE8EF.tmp.exetmpE8EF.tmp.exe

pid	process
1772	tmpBC8C.tmp.exe
2616	tmpBC8C.tmp.exe
2108	smss.exe
100	tmpD978.tmp.exe
4852	tmpD978.tmp.exe
4952	tmpD978.tmp.exe
3388	smss.exe
1536	tmpCAD.tmp.exe
4908	tmpCAD.tmp.exe
4724	smss.exe
3420	tmp28D0.tmp.exe
4436	tmp28D0.tmp.exe
2732	smss.exe
4408	tmp44C4.tmp.exe
4856	tmp44C4.tmp.exe
1948	smss.exe
2748	tmp605B.tmp.exe
2704	tmp605B.tmp.exe
1284	smss.exe
3428	tmp7B65.tmp.exe
5116	tmp7B65.tmp.exe
1792	smss.exe
4688	tmpAB8D.tmp.exe
2132	tmpAB8D.tmp.exe
220	smss.exe
4520	tmpDB57.tmp.exe
4812	tmpDB57.tmp.exe
3860	smss.exe
4764	tmpA95.tmp.exe
5060	tmpA95.tmp.exe
1136	smss.exe
4604	tmp2560.tmp.exe
3656	tmp2560.tmp.exe
1828	smss.exe
2632	smss.exe
2224	tmp6F2B.tmp.exe
3860	tmp6F2B.tmp.exe
4688	smss.exe
4616	tmp8B00.tmp.exe
644	tmp8B00.tmp.exe
3468	tmp8B00.tmp.exe
4536	smss.exe
4984	tmpBA2E.tmp.exe
2260	tmpBA2E.tmp.exe
2984	smss.exe
1632	tmpE8EF.tmp.exe
4964	tmpE8EF.tmp.exe
3140	tmpE8EF.tmp.exe
4124	tmpE8EF.tmp.exe

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

tmpBC8C.tmp.exetmpD978.tmp.exetmpCAD.tmp.exetmp28D0.tmp.exetmp44C4.tmp.exetmp605B.tmp.exetmp7B65.tmp.exetmpAB8D.tmp.exetmpDB57.tmp.exetmpA95.tmp.exetmp2560.tmp.exetmp6F2B.tmp.exetmp8B00.tmp.exetmpBA2E.tmp.exetmpE8EF.tmp.exe

description	pid	process	target process
PID 1772 set thread context of 2616	1772	tmpBC8C.tmp.exe	tmpBC8C.tmp.exe
PID 4852 set thread context of 4952	4852	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 1536 set thread context of 4908	1536	tmpCAD.tmp.exe	tmpCAD.tmp.exe
PID 3420 set thread context of 4436	3420	tmp28D0.tmp.exe	tmp28D0.tmp.exe
PID 4408 set thread context of 4856	4408	tmp44C4.tmp.exe	tmp44C4.tmp.exe
PID 2748 set thread context of 2704	2748	tmp605B.tmp.exe	tmp605B.tmp.exe
PID 3428 set thread context of 5116	3428	tmp7B65.tmp.exe	tmp7B65.tmp.exe
PID 4688 set thread context of 2132	4688	tmpAB8D.tmp.exe	tmpAB8D.tmp.exe
PID 4520 set thread context of 4812	4520	tmpDB57.tmp.exe	tmpDB57.tmp.exe
PID 4764 set thread context of 5060	4764	tmpA95.tmp.exe	tmpA95.tmp.exe
PID 4604 set thread context of 3656	4604	tmp2560.tmp.exe	tmp2560.tmp.exe
PID 2224 set thread context of 3860	2224	tmp6F2B.tmp.exe	tmp6F2B.tmp.exe
PID 644 set thread context of 3468	644	tmp8B00.tmp.exe	tmp8B00.tmp.exe
PID 4984 set thread context of 2260	4984	tmpBA2E.tmp.exe	tmpBA2E.tmp.exe
PID 3140 set thread context of 4124	3140	tmpE8EF.tmp.exe	tmpE8EF.tmp.exe

Drops file in Program Files directory 12 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\eddb19405b7ce1	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SearchApp.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SearchApp.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backgroundTaskHost.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\38384e6a620884	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCXB8E1.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXBF8C.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\RCXC1A0.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\backgroundTaskHost.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

Drops file in Windows directory 5 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

description	ioc	process
File opened for modification	C:\Windows\PLA\Templates\RCXBAF5.tmp	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File opened for modification	C:\Windows\PLA\Templates\smss.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Windows\diagnostics\system\Printer\Registry.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Windows\PLA\Templates\smss.exe	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
File created	C:\Windows\PLA\Templates\69ddcba757bf72	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpBC8C.tmp.exetmp8B00.tmp.exetmpE8EF.tmp.exetmpCAD.tmp.exetmp44C4.tmp.exetmpAB8D.tmp.exetmp6F2B.tmp.exetmpD978.tmp.exetmp28D0.tmp.exetmpDB57.tmp.exetmpA95.tmp.exetmp2560.tmp.exetmpE8EF.tmp.exetmpD978.tmp.exetmp605B.tmp.exetmp7B65.tmp.exetmp8B00.tmp.exetmpBA2E.tmp.exetmpE8EF.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBC8C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8B00.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE8EF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCAD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp44C4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB8D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6F2B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD978.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp28D0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDB57.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA95.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2560.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE8EF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD978.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp605B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7B65.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8B00.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBA2E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE8EF.tmp.exe

Modifies registry class 16 IoCs

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exec200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3852	schtasks.exe
1840	schtasks.exe
3908	schtasks.exe
4752	schtasks.exe
2792	schtasks.exe
3172	schtasks.exe
4524	schtasks.exe
884	schtasks.exe
3556	schtasks.exe
840	schtasks.exe
4852	schtasks.exe
4612	schtasks.exe
2624	schtasks.exe
4492	schtasks.exe
1816	schtasks.exe
744	schtasks.exe
4772	schtasks.exe
372	schtasks.exe
808	schtasks.exe
2284	schtasks.exe
3960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
1028	powershell.exe
1028	powershell.exe
2968	powershell.exe
2968	powershell.exe
3108	powershell.exe
3108	powershell.exe
1792	powershell.exe
1792	powershell.exe
2824	powershell.exe
2824	powershell.exe
2472	powershell.exe
2472	powershell.exe
3432	powershell.exe
3432	powershell.exe
4764	powershell.exe
4764	powershell.exe
4004	powershell.exe
4004	powershell.exe
4412	powershell.exe
4412	powershell.exe
1752	powershell.exe
1752	powershell.exe
4764	powershell.exe
1752	powershell.exe
1028	powershell.exe
3108	powershell.exe
1792	powershell.exe
3432	powershell.exe
2472	powershell.exe
2968	powershell.exe
2824	powershell.exe
4004	powershell.exe
4412	powershell.exe
2108	smss.exe
2108	smss.exe
3388	smss.exe
4724	smss.exe
2732	smss.exe
1948	smss.exe
1284	smss.exe
1792	smss.exe
220	smss.exe
3860	smss.exe
1136	smss.exe
1828	smss.exe
2632	smss.exe
4688	smss.exe
4536	smss.exe
2984	smss.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2108	smss.exe
Token: SeDebugPrivilege	3388	smss.exe
Token: SeDebugPrivilege	4724	smss.exe
Token: SeDebugPrivilege	2732	smss.exe
Token: SeDebugPrivilege	1948	smss.exe
Token: SeDebugPrivilege	1284	smss.exe
Token: SeDebugPrivilege	1792	smss.exe
Token: SeDebugPrivilege	220	smss.exe
Token: SeDebugPrivilege	3860	smss.exe
Token: SeDebugPrivilege	1136	smss.exe
Token: SeDebugPrivilege	1828	smss.exe
Token: SeDebugPrivilege	2632	smss.exe
Token: SeDebugPrivilege	4688	smss.exe
Token: SeDebugPrivilege	4536	smss.exe
Token: SeDebugPrivilege	2984	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exetmpBC8C.tmp.exesmss.exetmpD978.tmp.exetmpD978.tmp.exeWScript.exesmss.exetmpCAD.tmp.exe

description	pid	process	target process
PID 4520 wrote to memory of 1772	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	tmpBC8C.tmp.exe
PID 4520 wrote to memory of 1772	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	tmpBC8C.tmp.exe
PID 4520 wrote to memory of 1772	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	tmpBC8C.tmp.exe
PID 1772 wrote to memory of 2616	1772	tmpBC8C.tmp.exe	tmpBC8C.tmp.exe
PID 1772 wrote to memory of 2616	1772	tmpBC8C.tmp.exe	tmpBC8C.tmp.exe
PID 1772 wrote to memory of 2616	1772	tmpBC8C.tmp.exe	tmpBC8C.tmp.exe
PID 1772 wrote to memory of 2616	1772	tmpBC8C.tmp.exe	tmpBC8C.tmp.exe
PID 1772 wrote to memory of 2616	1772	tmpBC8C.tmp.exe	tmpBC8C.tmp.exe
PID 1772 wrote to memory of 2616	1772	tmpBC8C.tmp.exe	tmpBC8C.tmp.exe
PID 1772 wrote to memory of 2616	1772	tmpBC8C.tmp.exe	tmpBC8C.tmp.exe
PID 4520 wrote to memory of 1752	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 1752	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 2824	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 2824	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 3108	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 3108	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 4004	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 4004	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 3432	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 3432	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 2472	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 2472	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 2968	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 2968	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 1028	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 1028	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 4764	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 4764	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 1792	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 1792	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 4412	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 4412	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	powershell.exe
PID 4520 wrote to memory of 2108	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	smss.exe
PID 4520 wrote to memory of 2108	4520	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe	smss.exe
PID 2108 wrote to memory of 3852	2108	smss.exe	WScript.exe
PID 2108 wrote to memory of 3852	2108	smss.exe	WScript.exe
PID 2108 wrote to memory of 2112	2108	smss.exe	WScript.exe
PID 2108 wrote to memory of 2112	2108	smss.exe	WScript.exe
PID 2108 wrote to memory of 100	2108	smss.exe	tmpD978.tmp.exe
PID 2108 wrote to memory of 100	2108	smss.exe	tmpD978.tmp.exe
PID 2108 wrote to memory of 100	2108	smss.exe	tmpD978.tmp.exe
PID 100 wrote to memory of 4852	100	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 100 wrote to memory of 4852	100	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 100 wrote to memory of 4852	100	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 4852 wrote to memory of 4952	4852	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 4852 wrote to memory of 4952	4852	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 4852 wrote to memory of 4952	4852	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 4852 wrote to memory of 4952	4852	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 4852 wrote to memory of 4952	4852	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 4852 wrote to memory of 4952	4852	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 4852 wrote to memory of 4952	4852	tmpD978.tmp.exe	tmpD978.tmp.exe
PID 3852 wrote to memory of 3388	3852	WScript.exe	smss.exe
PID 3852 wrote to memory of 3388	3852	WScript.exe	smss.exe
PID 3388 wrote to memory of 1712	3388	smss.exe	WScript.exe
PID 3388 wrote to memory of 1712	3388	smss.exe	WScript.exe
PID 3388 wrote to memory of 1108	3388	smss.exe	WScript.exe
PID 3388 wrote to memory of 1108	3388	smss.exe	WScript.exe
PID 3388 wrote to memory of 1536	3388	smss.exe	tmpCAD.tmp.exe
PID 3388 wrote to memory of 1536	3388	smss.exe	tmpCAD.tmp.exe
PID 3388 wrote to memory of 1536	3388	smss.exe	tmpCAD.tmp.exe
PID 1536 wrote to memory of 4908	1536	tmpCAD.tmp.exe	tmpCAD.tmp.exe
PID 1536 wrote to memory of 4908	1536	tmpCAD.tmp.exe	tmpCAD.tmp.exe
PID 1536 wrote to memory of 4908	1536	tmpCAD.tmp.exe	tmpCAD.tmp.exe
PID 1536 wrote to memory of 4908	1536	tmpCAD.tmp.exe	tmpCAD.tmp.exe

System policy modification 1 TTPs 48 IoCs

evasion

Modify Registry

T1112

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exec200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exesmss.exesmss.exesmss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe
"C:\Users\Admin\AppData\Local\Temp\c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4520
- C:\Users\Admin\AppData\Local\Temp\tmpBC8C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBC8C.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\tmpBC8C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpBC8C.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\PLA\Templates\smss.exe
  "C:\Windows\PLA\Templates\smss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2108
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac861035-b8be-4243-8d67-648f4d408129.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\PLA\Templates\smss.exe
      C:\Windows\PLA\Templates\smss.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3388
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbaf7263-d1a7-4eab-819a-cb51a2ca110c.vbs"
        5⤵
        
        PID:1712
      - C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7318c555-38f8-4069-bc2e-a74480fdf10d.vbs"
        7⤵
        
        PID:1460
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0efa2a36-2b38-4c37-986b-82383bb142a1.vbs"
        9⤵
        
        PID:4884
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23ad5882-5411-4641-b1bc-cda0ef405c38.vbs"
        11⤵
        
        PID:4984
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad7e8c84-3836-4ceb-891a-f81062726423.vbs"
        13⤵
        
        PID:4352
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11d6b33f-6b03-41ee-be6e-698165632252.vbs"
        15⤵
        
        PID:1344
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69881f3b-805d-448e-896e-61fc57285db1.vbs"
        17⤵
        
        PID:2224
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0fc6807-d42f-4e68-917a-0243dedc48b9.vbs"
        19⤵
        
        PID:3348
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5202e963-89b5-4696-8f1e-aa6a184b890d.vbs"
        21⤵
        
        PID:2728
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34161388-a845-4fc4-adab-7d7e6ba96100.vbs"
        23⤵
        
        PID:4720
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f1c2007-ccf4-469d-9dc5-8770d7fa8937.vbs"
        25⤵
        
        PID:3748
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7140f0a-0e87-4325-bdae-b65f95639fad.vbs"
        27⤵
        
        PID:3120
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b50d7d0f-0766-4a51-8e31-3fb33c2ac096.vbs"
        29⤵
        
        PID:2792
        
        C:\Windows\PLA\Templates\smss.exe
        
        C:\Windows\PLA\Templates\smss.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\659b5022-0ad5-4415-b6d8-1decc35ae8de.vbs"
        31⤵
        
        PID:4484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41d29ede-dca4-4d4e-8463-7e8f93fb40a3.vbs"
        31⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmpE8EF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE8EF.tmp.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmpE8EF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE8EF.tmp.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmpE8EF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE8EF.tmp.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmpE8EF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE8EF.tmp.exe"
        34⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d40e671-86a0-4617-80d4-52d4e5fc9ab7.vbs"
        29⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\tmpBA2E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBA2E.tmp.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmpBA2E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBA2E.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d335bd2e-0415-41bc-95a5-7eb26c486d09.vbs"
        27⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp8B00.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8B00.tmp.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp8B00.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8B00.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmp8B00.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8B00.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0022a21e-f9aa-4c72-946c-daac31b11a7d.vbs"
        25⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp6F2B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6F2B.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmp6F2B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6F2B.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3468a450-62c9-4c14-a57d-38bc6efd53cb.vbs"
        23⤵
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cca3802d-c78d-4917-b32a-b86597174d4c.vbs"
        21⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp2560.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2560.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp2560.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2560.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f482bc5-ba83-4d9f-92b2-57b380856e85.vbs"
        19⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmpA95.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA95.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmpA95.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA95.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a156c0c0-75d4-4d43-af78-02e86c6a6422.vbs"
        17⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmpDB57.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDB57.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmpDB57.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDB57.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\351a47ef-0f4e-4b2f-a84b-07ac085ccb80.vbs"
        15⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmpAB8D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAB8D.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmpAB8D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAB8D.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa6e3a01-b789-40a5-b2b7-4487890893b0.vbs"
        13⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7B65.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7B65.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7B65.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7B65.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60f738e9-0ab5-4aec-b55b-d57fe5d03cc7.vbs"
        11⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmp605B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp605B.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp605B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp605B.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dca99252-9c61-4dc4-9879-9bb6f59bfc8b.vbs"
        9⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp44C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp44C4.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp44C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp44C4.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd84e74a-b960-4e53-9e2c-de6614f99b77.vbs"
        7⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp28D0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp28D0.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp28D0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp28D0.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:4436
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbac17f7-8356-4d99-8fe8-e153441f7660.vbs"
        5⤵
        
        PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\tmpCAD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCAD.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Users\Admin\AppData\Local\Temp\tmpCAD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCAD.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:4908
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aba3461-305b-4572-9934-d2a960c28434.vbs"
    3⤵
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\tmpD978.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpD978.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Users\Admin\AppData\Local\Temp\tmpD978.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD978.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\tmpD978.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD978.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Templates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Pictures\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SearchApp.exe

Filesize
4.9MB

MD5
6980bcd5d7d665f70f434120a1d20549

SHA1
8104f0c2f92ecb1ab9c6700f14d56059a93a9465

SHA256
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16

SHA512
2eb62827b55c986e2f6a076e9b5fb880bbcccc938d6581293f56ce9f2970a55f6bd27112486ccf20b792ef493cc7b1351a73a8bdda478af9b5c50e8ba0b00de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0efa2a36-2b38-4c37-986b-82383bb142a1.vbs

Filesize
709B

MD5
dafa93d86c3cd8f2041ace6d151d02a4

SHA1
7767f18116ac57bc6ae095751fe6244d9dd36044

SHA256
3c731623a7e52743e59e24a484c4a57128c47b95bd90eca9a3eda286674692fd

SHA512
eff357f8df6dd806d004b00fb7bc95627b2694863157e1e36baeba3034f5bb505d226a021994a1d2298bf8d9cd3685f880f759d6bf06e48580d4a5026576f4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\11d6b33f-6b03-41ee-be6e-698165632252.vbs

Filesize
709B

MD5
93a13cba5790d0bd4785bbec5d88503a

SHA1
e2d3ce6436c99e0d456b1b9d624cf17362c8910c

SHA256
0387288327c264a017b8edb950b469dff693aac9f968458233ab10d4518d111c

SHA512
9df4fb2fd549d71a2a4a7e71872789953c2b01936b110dbe905f831a93eadd2489b6a09c969dbf267dd073690c6dfb38dece6b432c7387e4b0c57a5fcc9ba8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\23ad5882-5411-4641-b1bc-cda0ef405c38.vbs

Filesize
709B

MD5
0b4718316fd1a31d439b313ecf9716a1

SHA1
ea4dbfe11210c82c4b91421dbdd133a92e1117bc

SHA256
faf9e17f5d9e506bf71408d4349bce9f0988fe080822a46a9274811f92de24aa

SHA512
575e22b951e7877fd1f407ab84725b1a029a7e1adf87742884ce6cf56903fcb1a19c042b31948f2abed6f3af8540cadde767e4464185b8cbcd21262e87780c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aba3461-305b-4572-9934-d2a960c28434.vbs

Filesize
485B

MD5
163bf066f1bd220182d8d8fd88e96a5f

SHA1
6612a18949cc31fc19a2aa3de7907998551a35bd

SHA256
affae8a449708eceb921f7133e40acb9be124b921bf6430982113cf5e6940bad

SHA512
352d339020c2ddee854530b2eeb5f7d71d3b99e7b09c9c220b686922a88170e1b90df6f3e0ac33efed376929a345ac7a0affaa6036cfc7897e7e93ce3904aa1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7318c555-38f8-4069-bc2e-a74480fdf10d.vbs

Filesize
709B

MD5
1d54e91178cd46124310819f92050052

SHA1
097c66888605c5216b8c9bb0c700cdf3335ddd86

SHA256
7035eae7ae6c257fd2fe0295728d4ffd300cffc3ed155d70faffffcd8a81ecb3

SHA512
e848d11bdd3c986126f557d5cd03023eab93dab824c1c28cf6d5a014eea60cbf1fe02589c95673ee6e51afec167909b608884291b1a85b0b77ddd755a1ee92e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_loku2cnx.x4s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac861035-b8be-4243-8d67-648f4d408129.vbs

Filesize
709B

MD5
67875b7da81c04aaf983e88451db6ffe

SHA1
9c6263d504ba36b398c59e41360d5c41f9874810

SHA256
1550f650b25dc89e1259910065007ad32fe213df1a42f63b50b620ba63931582

SHA512
d522ef039681246c1646257d3c519f24841c7fe5d04c11934e9400187890a62c6609d059260febd48c2ce79c3979a67433869f59338bb02d4c55d041122560d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad7e8c84-3836-4ceb-891a-f81062726423.vbs

Filesize
709B

MD5
8cb4793b1c63c3a164aa03826ec03230

SHA1
55a490f451bc16ffc71b2e4929d76055a5cb428e

SHA256
83e53755d2d590878a514b684a707e817ef439bce8601a74f3fec392c63a3c6e

SHA512
971840e559b9a0fe0c7da5f79508ab90a9fdb68cc9c5da331d8203f36d9124d8a83ed4c25adcf2f36da0de737380c7713e1b28466aa077979a012b8e16699a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbaf7263-d1a7-4eab-819a-cb51a2ca110c.vbs

Filesize
709B

MD5
54edacf55885b87bb8f38b1cd3425ced

SHA1
73f26b2bc951b6759eaf3f60b3472167a26fe005

SHA256
96f8481e7a1b1c21d526aac6adfa25312dfddd95cde04ca42e70754f9af87e61

SHA512
8da4a24c71cfc8c5e9da94c367ac443217e6680b3edc07a695444be9b119d93770eedc48cde6dcad5c6cfc79e24e647e66e8e6df322101f2c41d5cc35e8843ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC8C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\PLA\Templates\smss.exe

Filesize
4.9MB

MD5
1053a8faf12f5a766e3e6aa05c498afd

SHA1
9c79800fbd7367f993049e4596d17359bd7f3489

SHA256
3d751221eddadb540bc0403714e7412c1b9da3dd0b3f38b3517c279afbe2398e

SHA512
4f8b38472fd14ee9cb167a2833859e71d38643ca780aa041bd80ff637e6772cce09f9e8dbf854315fb25c8c6a75697b5b493816eb0f02a959eff876037c49848

Download Submit
memory/1028-153-0x0000022B7A200000-0x0000022B7A222000-memory.dmp

Filesize
136KB

Download
memory/1136-475-0x000000001D840000-0x000000001D852000-memory.dmp

Filesize
72KB

Download
memory/2108-255-0x0000000000050000-0x0000000000544000-memory.dmp

Filesize
5.0MB

Download
memory/2616-61-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4520-14-0x000000001BC50000-0x000000001BC5E000-memory.dmp

Filesize
56KB

Download
memory/4520-10-0x000000001BC20000-0x000000001BC2A000-memory.dmp

Filesize
40KB

Download
memory/4520-0-0x00007FFC7BC93000-0x00007FFC7BC95000-memory.dmp

Filesize
8KB

Download
memory/4520-256-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/4520-12-0x000000001C800000-0x000000001CD28000-memory.dmp

Filesize
5.2MB

Download
memory/4520-15-0x000000001BC60000-0x000000001BC6E000-memory.dmp

Filesize
56KB

Download
memory/4520-13-0x000000001BC40000-0x000000001BC4A000-memory.dmp

Filesize
40KB

Download
memory/4520-17-0x000000001C2E0000-0x000000001C2E8000-memory.dmp

Filesize
32KB

Download
memory/4520-11-0x000000001BC30000-0x000000001BC42000-memory.dmp

Filesize
72KB

Download
memory/4520-16-0x000000001C2D0000-0x000000001C2D8000-memory.dmp

Filesize
32KB

Download
memory/4520-8-0x000000001BBF0000-0x000000001BC06000-memory.dmp

Filesize
88KB

Download
memory/4520-9-0x000000001BC10000-0x000000001BC20000-memory.dmp

Filesize
64KB

Download
memory/4520-5-0x000000001C280000-0x000000001C2D0000-memory.dmp

Filesize
320KB

Download
memory/4520-6-0x000000001B990000-0x000000001B998000-memory.dmp

Filesize
32KB

Download
memory/4520-7-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/4520-4-0x000000001B970000-0x000000001B98C000-memory.dmp

Filesize
112KB

Download
memory/4520-3-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/4520-2-0x000000001BAB0000-0x000000001BBDE000-memory.dmp

Filesize
1.2MB

Download
memory/4520-1-0x0000000000850000-0x0000000000D44000-memory.dmp

Filesize
5.0MB

Download
memory/4520-18-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

Filesize
48KB

Download