colibri | 82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Size

4.9MB
MD5

fa1e134ed3a3784a211e9fb679ef7e60
SHA1

586b4fd3f2e1163968ea56d61f349494b45fd633
SHA256

82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2
SHA512

a6131eaa1c25a9650b5b578aefb9a05f9c5b345fcf8a352fb309f28072db09c41f63b99064225cd491c6c064846b970c99ef8e9ac815181b8d4f4e691b3d6379
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	972	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	972	schtasks.exe	86

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4892-3-0x000000001C2D0000-0x000000001C3FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
316	powershell.exe
2552	powershell.exe
4752	powershell.exe
2452	powershell.exe
1392	powershell.exe
5008	powershell.exe
3384	powershell.exe
1976	powershell.exe
3128	powershell.exe
4504	powershell.exe
2440	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 29 IoCs

pid	Process
2072	tmpD072.tmp.exe
3592	tmpD072.tmp.exe
4200	wininit.exe
2292	tmp376.tmp.exe
3932	tmp376.tmp.exe
3256	tmp376.tmp.exe
2028	tmp376.tmp.exe
2452	wininit.exe
1956	wininit.exe
4352	wininit.exe
692	wininit.exe
4676	tmpA3BD.tmp.exe
2276	tmpA3BD.tmp.exe
2340	wininit.exe
4404	tmpD443.tmp.exe
184	tmpD443.tmp.exe
3888	wininit.exe
4836	wininit.exe
2192	tmpEDB.tmp.exe
2584	tmpEDB.tmp.exe
3696	wininit.exe
2400	tmp41C2.tmp.exe
1832	tmp41C2.tmp.exe
4500	wininit.exe
4660	wininit.exe
3096	tmp7B9F.tmp.exe
464	tmp7B9F.tmp.exe
4156	tmp7B9F.tmp.exe
3836	tmp7B9F.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 3592	2072	tmpD072.tmp.exe	140
PID 3256 set thread context of 2028	3256	tmp376.tmp.exe	176
PID 916 set thread context of 4376	916	tmp728B.tmp.exe	190
PID 4676 set thread context of 2276	4676	tmpA3BD.tmp.exe	196
PID 4404 set thread context of 184	4404	tmpD443.tmp.exe	202
PID 2192 set thread context of 2584	2192	tmpEDB.tmp.exe	211
PID 2400 set thread context of 1832	2400	tmp41C2.tmp.exe	217
PID 4156 set thread context of 3836	4156	tmp7B9F.tmp.exe	228

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\System.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\RCXDE15.tmp	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\5940a34987c991	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files\Windows Multimedia Platform\wininit.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXE4BF.tmp	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files (x86)\Windows NT\wininit.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\wininit.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXEB4A.tmp	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\e9a5a9c93980df	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files (x86)\Microsoft.NET\6cb0b6c459d5d3	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files (x86)\Windows Defender\27d1bcfc3c54e0	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files (x86)\Windows NT\56085415360792	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files (x86)\Microsoft.NET\dwm.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files\Windows Multimedia Platform\56085415360792	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCXCDA1.tmp	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Program Files (x86)\Windows Defender\System.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXE8C8.tmp	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\dwm.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\wininit.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXD5E4.tmp	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\TextInputHost.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File created	C:\Windows\Tasks\22eafd247d37c3	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Windows\Tasks\RCXEFCF.tmp	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
File opened for modification	C:\Windows\Tasks\TextInputHost.exe	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp376.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp376.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA3BD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD443.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEDB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7B9F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7B9F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD072.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp376.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp728B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp41C2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7B9F.tmp.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	wininit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4992	schtasks.exe
524	schtasks.exe
2400	schtasks.exe
228	schtasks.exe
796	schtasks.exe
3408	schtasks.exe
336	schtasks.exe
3140	schtasks.exe
3868	schtasks.exe
1956	schtasks.exe
2140	schtasks.exe
868	schtasks.exe
4276	schtasks.exe
1552	schtasks.exe
4444	schtasks.exe
4028	schtasks.exe
2828	schtasks.exe
5048	schtasks.exe
3088	schtasks.exe
2264	schtasks.exe
3656	schtasks.exe
3988	schtasks.exe
3152	schtasks.exe
3444	schtasks.exe
3584	schtasks.exe
1656	schtasks.exe
4008	schtasks.exe
3696	schtasks.exe
1020	schtasks.exe
4836	schtasks.exe
4680	schtasks.exe
4496	schtasks.exe
2000	schtasks.exe
4272	schtasks.exe
1840	schtasks.exe
2004	schtasks.exe
968	schtasks.exe
4960	schtasks.exe
4660	schtasks.exe
4976	schtasks.exe
4716	schtasks.exe
64	schtasks.exe
4724	schtasks.exe
3772	schtasks.exe
2216	schtasks.exe
2112	schtasks.exe
2412	schtasks.exe
412	schtasks.exe
4876	schtasks.exe
1596	schtasks.exe
1896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
2452	powershell.exe
2452	powershell.exe
4752	powershell.exe
4752	powershell.exe
5008	powershell.exe
5008	powershell.exe
2440	powershell.exe
2440	powershell.exe
2552	powershell.exe
2552	powershell.exe
316	powershell.exe
316	powershell.exe
3384	powershell.exe
3384	powershell.exe
4504	powershell.exe
4504	powershell.exe
1976	powershell.exe
1976	powershell.exe
1392	powershell.exe
1392	powershell.exe
3128	powershell.exe
3128	powershell.exe
4504	powershell.exe
5008	powershell.exe
1976	powershell.exe
4752	powershell.exe
2452	powershell.exe
3384	powershell.exe
2552	powershell.exe
3128	powershell.exe
2440	powershell.exe
1392	powershell.exe
316	powershell.exe
4200	wininit.exe
4200	wininit.exe
2452	wininit.exe
1956	wininit.exe
692	wininit.exe
2340	wininit.exe
3888	wininit.exe
4836	wininit.exe
3696	wininit.exe
4500	wininit.exe
4660	wininit.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	4200	wininit.exe
Token: SeDebugPrivilege	2452	wininit.exe
Token: SeDebugPrivilege	1956	wininit.exe
Token: SeDebugPrivilege	692	wininit.exe
Token: SeDebugPrivilege	2340	wininit.exe
Token: SeDebugPrivilege	3888	wininit.exe
Token: SeDebugPrivilege	4836	wininit.exe
Token: SeDebugPrivilege	3696	wininit.exe
Token: SeDebugPrivilege	4500	wininit.exe
Token: SeDebugPrivilege	4660	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 2072	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	138
PID 4892 wrote to memory of 2072	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	138
PID 4892 wrote to memory of 2072	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	138
PID 2072 wrote to memory of 3592	2072	tmpD072.tmp.exe	140
PID 2072 wrote to memory of 3592	2072	tmpD072.tmp.exe	140
PID 2072 wrote to memory of 3592	2072	tmpD072.tmp.exe	140
PID 2072 wrote to memory of 3592	2072	tmpD072.tmp.exe	140
PID 2072 wrote to memory of 3592	2072	tmpD072.tmp.exe	140
PID 2072 wrote to memory of 3592	2072	tmpD072.tmp.exe	140
PID 2072 wrote to memory of 3592	2072	tmpD072.tmp.exe	140
PID 4892 wrote to memory of 2440	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	147
PID 4892 wrote to memory of 2440	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	147
PID 4892 wrote to memory of 4504	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	148
PID 4892 wrote to memory of 4504	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	148
PID 4892 wrote to memory of 5008	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	149
PID 4892 wrote to memory of 5008	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	149
PID 4892 wrote to memory of 2452	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	150
PID 4892 wrote to memory of 2452	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	150
PID 4892 wrote to memory of 3384	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	151
PID 4892 wrote to memory of 3384	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	151
PID 4892 wrote to memory of 2552	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	152
PID 4892 wrote to memory of 2552	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	152
PID 4892 wrote to memory of 316	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	153
PID 4892 wrote to memory of 316	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	153
PID 4892 wrote to memory of 1392	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	154
PID 4892 wrote to memory of 1392	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	154
PID 4892 wrote to memory of 4752	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	155
PID 4892 wrote to memory of 4752	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	155
PID 4892 wrote to memory of 3128	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	157
PID 4892 wrote to memory of 3128	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	157
PID 4892 wrote to memory of 1976	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	158
PID 4892 wrote to memory of 1976	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	158
PID 4892 wrote to memory of 4200	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	169
PID 4892 wrote to memory of 4200	4892	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe	169
PID 4200 wrote to memory of 2192	4200	wininit.exe	170
PID 4200 wrote to memory of 2192	4200	wininit.exe	170
PID 4200 wrote to memory of 1676	4200	wininit.exe	171
PID 4200 wrote to memory of 1676	4200	wininit.exe	171
PID 4200 wrote to memory of 2292	4200	wininit.exe	172
PID 4200 wrote to memory of 2292	4200	wininit.exe	172
PID 4200 wrote to memory of 2292	4200	wininit.exe	172
PID 2292 wrote to memory of 3932	2292	tmp376.tmp.exe	174
PID 2292 wrote to memory of 3932	2292	tmp376.tmp.exe	174
PID 2292 wrote to memory of 3932	2292	tmp376.tmp.exe	174
PID 3932 wrote to memory of 3256	3932	tmp376.tmp.exe	175
PID 3932 wrote to memory of 3256	3932	tmp376.tmp.exe	175
PID 3932 wrote to memory of 3256	3932	tmp376.tmp.exe	175
PID 3256 wrote to memory of 2028	3256	tmp376.tmp.exe	176
PID 3256 wrote to memory of 2028	3256	tmp376.tmp.exe	176
PID 3256 wrote to memory of 2028	3256	tmp376.tmp.exe	176
PID 3256 wrote to memory of 2028	3256	tmp376.tmp.exe	176
PID 3256 wrote to memory of 2028	3256	tmp376.tmp.exe	176
PID 3256 wrote to memory of 2028	3256	tmp376.tmp.exe	176
PID 3256 wrote to memory of 2028	3256	tmp376.tmp.exe	176
PID 2192 wrote to memory of 2452	2192	WScript.exe	177
PID 2192 wrote to memory of 2452	2192	WScript.exe	177
PID 2452 wrote to memory of 1388	2452	wininit.exe	178
PID 2452 wrote to memory of 1388	2452	wininit.exe	178
PID 2452 wrote to memory of 3920	2452	wininit.exe	179
PID 2452 wrote to memory of 3920	2452	wininit.exe	179
PID 1388 wrote to memory of 1956	1388	WScript.exe	182
PID 1388 wrote to memory of 1956	1388	WScript.exe	182
PID 1956 wrote to memory of 3156	1956	wininit.exe	183
PID 1956 wrote to memory of 3156	1956	wininit.exe	183

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe
"C:\Users\Admin\AppData\Local\Temp\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4892
- C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:3592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Program Files\Windows Multimedia Platform\wininit.exe
  "C:\Program Files\Windows Multimedia Platform\wininit.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4200
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0f1e146-5c91-4abc-bd17-976b7e9f2423.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Program Files\Windows Multimedia Platform\wininit.exe
      "C:\Program Files\Windows Multimedia Platform\wininit.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2452
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df1c21d9-653a-4ba3-9279-1c359d6c08d5.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1388
      - C:\Program Files\Windows Multimedia Platform\wininit.exe
        
        "C:\Program Files\Windows Multimedia Platform\wininit.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\101d9c29-064c-4942-8656-94a3004aab6e.vbs"
        7⤵
        
        PID:3156
        
        C:\Program Files\Windows Multimedia Platform\wininit.exe
        
        "C:\Program Files\Windows Multimedia Platform\wininit.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        System policy modification
        
        PID:4352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c50de5a4-8088-4629-8314-9dc91aca105e.vbs"
        9⤵
        
        PID:3520
        
        C:\Program Files\Windows Multimedia Platform\wininit.exe
        
        "C:\Program Files\Windows Multimedia Platform\wininit.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6660495e-904b-45e5-9906-bc58952b5caf.vbs"
        11⤵
        
        PID:3956
        
        C:\Program Files\Windows Multimedia Platform\wininit.exe
        
        "C:\Program Files\Windows Multimedia Platform\wininit.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57832c1f-2269-45a0-a446-7ba6f6a652ab.vbs"
        13⤵
        
        PID:4920
        
        C:\Program Files\Windows Multimedia Platform\wininit.exe
        
        "C:\Program Files\Windows Multimedia Platform\wininit.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\072fd804-d248-4a11-92f3-fdcd24659c50.vbs"
        15⤵
        
        PID:4376
        
        C:\Program Files\Windows Multimedia Platform\wininit.exe
        
        "C:\Program Files\Windows Multimedia Platform\wininit.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30a8b645-fdc2-47d8-8877-4132fb7031f7.vbs"
        17⤵
        
        PID:2084
        
        C:\Program Files\Windows Multimedia Platform\wininit.exe
        
        "C:\Program Files\Windows Multimedia Platform\wininit.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ed1ced3-09c7-470a-b4ed-c06051d9b2a5.vbs"
        19⤵
        
        PID:2552
        
        C:\Program Files\Windows Multimedia Platform\wininit.exe
        
        "C:\Program Files\Windows Multimedia Platform\wininit.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06ffd7fa-8e33-411b-91f6-f42a99025205.vbs"
        21⤵
        
        PID:528
        
        C:\Program Files\Windows Multimedia Platform\wininit.exe
        
        "C:\Program Files\Windows Multimedia Platform\wininit.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2189fc04-152d-489b-91ab-41a8c92ba412.vbs"
        23⤵
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c7ca6a7-dc68-481a-ad9a-029b621a2314.vbs"
        23⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7B9F.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb737a06-760c-4c13-808a-950a2f2455bc.vbs"
        21⤵
        
        PID:4448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9859ccad-3769-4981-be74-7316d4b86cb6.vbs"
        19⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp41C2.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d59f5faa-6ea0-4c1d-b2cc-5d972581228e.vbs"
        17⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEDB.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42b88306-7a54-4114-a8bf-ca79e32acf99.vbs"
        15⤵
        
        PID:4956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f167d7fd-d274-4c89-b19f-2f32be848bd2.vbs"
        13⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD443.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7c36138-ef3f-4e6b-bfc9-971bfd41d9d7.vbs"
        11⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA3BD.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4df113b0-9ccd-425f-a56f-c564a8bd3177.vbs"
        9⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp728B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp728B.tmp.exe"
        9⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp728B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp728B.tmp.exe"
        10⤵
        
        PID:4376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b4e7561-0c9d-457a-a18e-e8b11890abf0.vbs"
        7⤵
        
        PID:1228
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4c0b5db-2262-46e4-8429-0ed4284ee486.vbs"
        5⤵
        
        PID:3920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e43bb37-603e-4f60-9a67-9bd2fd4f2890.vbs"
    3⤵
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp376.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N8" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Gadgets\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N8" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\SendTo\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SendTo\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Tasks\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\System.exe

Filesize
4.9MB

MD5
fa1e134ed3a3784a211e9fb679ef7e60

SHA1
586b4fd3f2e1163968ea56d61f349494b45fd633

SHA256
82d3f0c54cbc55a2df90efbbd8ddcbf4954663e4c2e3b2ab623b730537c934c2

SHA512
a6131eaa1c25a9650b5b578aefb9a05f9c5b345fcf8a352fb309f28072db09c41f63b99064225cd491c6c064846b970c99ef8e9ac815181b8d4f4e691b3d6379

Download Submit
C:\Program Files\Windows Multimedia Platform\wininit.exe

Filesize
4.9MB

MD5
7e763cd15fa3fd45fdaf72366a80dc2d

SHA1
310c8c3e95ae75a4d53d78f9538070cadac8995c

SHA256
e31f3d242dbadc82b3eec64999f85d2aeadf652f4f6fc0448b410b1b1d583111

SHA512
bf683fe01b86e786d3ae85e5e2cdb60b4fbd7c1620842807aa7bd82fa7e01c6d492f8d482badb885842c85d2276264d2477d742e5a280d67ee37431f4e81d79f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\072fd804-d248-4a11-92f3-fdcd24659c50.vbs

Filesize
732B

MD5
f0fa8c23420ca9ee3ea915963399c022

SHA1
183413df19a6c856b98eb1555c41afb363b98398

SHA256
dadebf88a6ea9089e0d801d1efb0a3eefaf09697c9c94d4091d1191e208c325a

SHA512
a22cbd9cdacd46e44c4c4367b314618a9405ec8ed36c551f2e5d3c82d6942b211f5f42132ad86182e1af8c724b95eefebcd0877e02fcd4308d0e7dfc2a1ec540

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e43bb37-603e-4f60-9a67-9bd2fd4f2890.vbs

Filesize
508B

MD5
b4062591a89178763eb6e37b3a1e1f55

SHA1
9a6ca3eeda1fb4f1a8436e8948b19b04979e8e44

SHA256
065a643aaf88487e6c8c35ca47bceb29b86571f305e7c53dcae38c462147272f

SHA512
e5ea16580080318e1684e2153c98c8f2735b13f3f32d1cb3a547ecf631cca5934fd75e346b00d768f0c9cbda22c3a8d51824b1283bc5d0a66958c6322bcc748d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ed1ced3-09c7-470a-b4ed-c06051d9b2a5.vbs

Filesize
732B

MD5
f4bac639d585b8a86e063aa059cd6b7e

SHA1
473fe70088202bbce3379c2730f15cd9c26147fe

SHA256
4365e384a9c1ebcab1ccb6af8545aba76dcf6d4c592903ac65e8b5ad102b1dbd

SHA512
eefcbca77dd1d8d03d0550e8d75603280c8d454f349c6b6aea418ec3bb03849330bbb272e201b8ded4901d1eb7926435a19c7b54f2cc4c56a9866eed6c67764f

Download Submit
C:\Users\Admin\AppData\Local\Temp\101d9c29-064c-4942-8656-94a3004aab6e.vbs

Filesize
732B

MD5
c262f2c1d464d7cf005398ef09f9b84f

SHA1
e114f66a7163d0b4804f8835faef307154e88304

SHA256
96500f9880cab530862cf1ead89e32f40610fd8e8a8fad27873a44a591933a99

SHA512
c9a90872ace47bddf0a590664fdc3549d933348e3956e6ee25769dfcab6d471586c0098eb5b819df6f366d9f4f888d7f6986d0b1cd5ad3e8d0a6dce6636c9d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\30a8b645-fdc2-47d8-8877-4132fb7031f7.vbs

Filesize
732B

MD5
ff5caa602a83ee60437fa9d8aa21163d

SHA1
2a2d52a143752485dbcb44dd04683123e4a26e98

SHA256
68a5944d05015de07bfa7c3e1796efdf553c63e08afc2297e8ba0c3695f971a3

SHA512
0bb9f12d5a064e34ea35a4307e59eba6e48ec607ff63ec8594979bd6ba370c15d0e574bcd79e2226a4e1b189bdace40d68ebed72cfd3cb409d297a0d581ac91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\57832c1f-2269-45a0-a446-7ba6f6a652ab.vbs

Filesize
732B

MD5
330f1251c96ae803c3ebc245d38767bc

SHA1
e8082840f67474b4efef0cb6d0210d8838664f95

SHA256
816d8a45b02b228e6dfc0545be1b831b4c2f1d66d0583347dc370fac51cef1fc

SHA512
90b2f3c88baeb1249c26ca56761c2d0eba0dce3043267c3380cbb980cc6eab449c20147305eaa36d6518d67104d2cfec63ca5de41bfcf5557fcc567a8b44c065

Download Submit
C:\Users\Admin\AppData\Local\Temp\6660495e-904b-45e5-9906-bc58952b5caf.vbs

Filesize
731B

MD5
1cf5adf02ff6d1e85cca00b362f6bfec

SHA1
6e8ea12956a49a9f418a7afa8a47ee0d37d297e5

SHA256
cab1550e7227f7a2c933aa5498648ee5d43cc0655426de62528ab461c65ed433

SHA512
a89361e3a40ee2979b517f0e1cf6c534198d2389dc8a30c165f5647ae6ec8d32dda27937c6b89fb11f3ed72d7153c7f4acba7322de9994dcec44086580324007

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55doijbe.wjc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\df1c21d9-653a-4ba3-9279-1c359d6c08d5.vbs

Filesize
732B

MD5
bd845fc9b0117b271f5917017061e211

SHA1
7b6e78e2cd84537c5a9ca45c6c63b76b9935798f

SHA256
1d2c91efc34ea988fe7aca565ebe35086811b6614241b4689d9d47b7296ad0c6

SHA512
7d89ea961a7f8d45f86efffea2ded18edd09fb61eebd32e77d5d540dbc2019ca72e13e2849a8d830cda13ce0c12dba82e044fed3e053a4880f8ae99b072ca9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0f1e146-5c91-4abc-bd17-976b7e9f2423.vbs

Filesize
732B

MD5
625da9d9e8061a87cdbda370bba7aa96

SHA1
278c0d38f1c44643e6080a9b377df776b9825335

SHA256
442db053872b9b53665e096226422cf31a6fff16bd07277410dd3ce5824fa0fb

SHA512
1bb697badf318798d8b2bdbdffd4fd48e24a1697da21d0371a6434c7ba1799b8e27925c3fc8b50e7998edf44814165b81024e698f6d1755c4c3e24c2eef11da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD072.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/1956-405-0x000000001BD20000-0x000000001BD32000-memory.dmp

Filesize
72KB

Download
memory/2452-391-0x000000001B400000-0x000000001B412000-memory.dmp

Filesize
72KB

Download
memory/3592-79-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4200-337-0x000000001BB30000-0x000000001BB42000-memory.dmp

Filesize
72KB

Download
memory/4200-335-0x0000000000890000-0x0000000000D84000-memory.dmp

Filesize
5.0MB

Download
memory/4752-233-0x00000298376C0000-0x00000298376E2000-memory.dmp

Filesize
136KB

Download
memory/4892-11-0x0000000003610000-0x0000000003622000-memory.dmp

Filesize
72KB

Download
memory/4892-165-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-152-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/4892-18-0x000000001C2A0000-0x000000001C2AC000-memory.dmp

Filesize
48KB

Download
memory/4892-17-0x00000000036B0000-0x00000000036B8000-memory.dmp

Filesize
32KB

Download
memory/4892-336-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-16-0x00000000036A0000-0x00000000036A8000-memory.dmp

Filesize
32KB

Download
memory/4892-15-0x0000000003690000-0x000000000369E000-memory.dmp

Filesize
56KB

Download
memory/4892-13-0x0000000003670000-0x000000000367A000-memory.dmp

Filesize
40KB

Download
memory/4892-14-0x0000000003680000-0x000000000368E000-memory.dmp

Filesize
56KB

Download
memory/4892-12-0x000000001CE30000-0x000000001D358000-memory.dmp

Filesize
5.2MB

Download
memory/4892-0-0x00007FFC04313000-0x00007FFC04315000-memory.dmp

Filesize
8KB

Download
memory/4892-5-0x0000000003620000-0x0000000003670000-memory.dmp

Filesize
320KB

Download
memory/4892-6-0x0000000003490000-0x0000000003498000-memory.dmp

Filesize
32KB

Download
memory/4892-10-0x0000000003600000-0x000000000360A000-memory.dmp

Filesize
40KB

Download
memory/4892-8-0x00000000035D0000-0x00000000035E6000-memory.dmp

Filesize
88KB

Download
memory/4892-9-0x00000000035F0000-0x0000000003600000-memory.dmp

Filesize
64KB

Download
memory/4892-7-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/4892-4-0x0000000003470000-0x000000000348C000-memory.dmp

Filesize
112KB

Download
memory/4892-3-0x000000001C2D0000-0x000000001C3FE000-memory.dmp

Filesize
1.2MB

Download
memory/4892-2-0x00007FFC04310000-0x00007FFC04DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-1-0x0000000000E40000-0x0000000001334000-memory.dmp

Filesize
5.0MB

Download