colibri | 7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Size

4.9MB
MD5

0f810e60bd97e1197c9243549d36d0b0
SHA1

ad185690f90853a15eae667f6ca3f68031ce5764
SHA256

7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4
SHA512

4277e074e50e9b46f2bde6f1565569f2ffc3f20f275ef8fb24a5a457d18633531d322b39380d24ee9c118e1e714dcce4f8d4c969ea331455f5f85e9db13052e3
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri

DcRat 41 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3564	schtasks.exe
		3120	schtasks.exe
		1388	schtasks.exe
File created	C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f		7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
		2892	schtasks.exe
		3120	schtasks.exe
		4844	schtasks.exe
		1448	schtasks.exe
		4188	schtasks.exe
		2432	schtasks.exe
		2400	schtasks.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9		7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
		1488	schtasks.exe
		2548	schtasks.exe
		4196	schtasks.exe
		2888	schtasks.exe
		4748	schtasks.exe
		4496	schtasks.exe
		3872	schtasks.exe
		4436	schtasks.exe
		4076	schtasks.exe
		4536	schtasks.exe
		4756	schtasks.exe
		1260	schtasks.exe
		2868	schtasks.exe
		2476	schtasks.exe
		2372	schtasks.exe
		2272	schtasks.exe
		884	schtasks.exe
		2084	schtasks.exe
		2112	schtasks.exe
File created	C:\Windows\SystemResources\Windows.UI.Cred\pris\22eafd247d37c3		7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\eddb19405b7ce1		7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
		2952	schtasks.exe
		5064	schtasks.exe
		4448	schtasks.exe
		4336	schtasks.exe
		3428	schtasks.exe
		2912	schtasks.exe
		3708	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	4200	schtasks.exe	86

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4052-2-0x000000001C140000-0x000000001C26E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1140	powershell.exe
652	powershell.exe
3336	powershell.exe
1592	powershell.exe
2772	powershell.exe
3056	powershell.exe
4668	powershell.exe
2980	powershell.exe
1164	powershell.exe
1604	powershell.exe
1260	powershell.exe
2952	powershell.exe
3904	powershell.exe
3116	powershell.exe
1584	powershell.exe
2872	powershell.exe
2088	powershell.exe
3124	powershell.exe
4100	powershell.exe
2836	powershell.exe
4636	powershell.exe
3564	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 35 IoCs

pid	Process
3212	tmp8754.tmp.exe
3292	tmp8754.tmp.exe
1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
5052	tmpA921.tmp.exe
3368	sihost.exe
4248	tmpA921.tmp.exe
1820	tmpB779.tmp.exe
4636	tmpB779.tmp.exe
1416	sihost.exe
5104	tmpE88B.tmp.exe
4536	tmpE88B.tmp.exe
3692	sihost.exe
2696	tmp1A49.tmp.exe
4508	tmp1A49.tmp.exe
384	sihost.exe
3940	sihost.exe
3564	tmp5213.tmp.exe
5104	tmp5213.tmp.exe
2472	sihost.exe
2404	tmp8316.tmp.exe
4176	tmp8316.tmp.exe
3528	tmp8316.tmp.exe
1456	sihost.exe
4572	tmpB36D.tmp.exe
1400	tmpB36D.tmp.exe
3400	tmpB36D.tmp.exe
4932	sihost.exe
3988	tmpCEE4.tmp.exe
2764	tmpCEE4.tmp.exe
4864	sihost.exe
2696	tmpFFA8.tmp.exe
1196	tmpFFA8.tmp.exe
1532	sihost.exe
3656	tmp30AB.tmp.exe
976	tmp30AB.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 3212 set thread context of 3292	3212	tmp8754.tmp.exe	121
PID 5052 set thread context of 4248	5052	tmpA921.tmp.exe	180
PID 1820 set thread context of 4636	1820	tmpB779.tmp.exe	185
PID 5104 set thread context of 4536	5104	tmpE88B.tmp.exe	191
PID 2696 set thread context of 4508	2696	tmp1A49.tmp.exe	199
PID 3564 set thread context of 5104	3564	tmp5213.tmp.exe	208
PID 4176 set thread context of 3528	4176	tmp8316.tmp.exe	215
PID 1400 set thread context of 3400	1400	tmpB36D.tmp.exe	222
PID 3988 set thread context of 2764	3988	tmpCEE4.tmp.exe	228
PID 2696 set thread context of 1196	2696	tmpFFA8.tmp.exe	234
PID 3656 set thread context of 976	3656	tmp30AB.tmp.exe	240

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCX8F67.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX93FD.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\eddb19405b7ce1	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\9e8d7a4ca61bd9	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RCX88AD.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemResources\Windows.UI.Cred\pris\RCX8426.tmp	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.Cred\pris\TextInputHost.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Windows\ShellExperiences\dllhost.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File opened for modification	C:\Windows\ShellExperiences\dllhost.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Windows\ShellExperiences\5940a34987c991	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Windows\SystemResources\Windows.UI.Cred\pris\TextInputHost.exe	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
File created	C:\Windows\SystemResources\Windows.UI.Cred\pris\22eafd247d37c3	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8316.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8316.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFFA8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp30AB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA921.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1A49.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE88B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5213.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB36D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB36D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCEE4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8754.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB779.tmp.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2084	schtasks.exe
2888	schtasks.exe
4748	schtasks.exe
3872	schtasks.exe
2272	schtasks.exe
1488	schtasks.exe
3428	schtasks.exe
3564	schtasks.exe
1448	schtasks.exe
2112	schtasks.exe
2548	schtasks.exe
4844	schtasks.exe
4536	schtasks.exe
4496	schtasks.exe
4196	schtasks.exe
2372	schtasks.exe
3120	schtasks.exe
4336	schtasks.exe
4436	schtasks.exe
4076	schtasks.exe
2868	schtasks.exe
3708	schtasks.exe
2912	schtasks.exe
2952	schtasks.exe
3120	schtasks.exe
2892	schtasks.exe
2476	schtasks.exe
2432	schtasks.exe
2400	schtasks.exe
4756	schtasks.exe
1260	schtasks.exe
4448	schtasks.exe
884	schtasks.exe
5064	schtasks.exe
4188	schtasks.exe
1388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
3124	powershell.exe
3124	powershell.exe
1140	powershell.exe
1140	powershell.exe
2088	powershell.exe
2088	powershell.exe
3904	powershell.exe
3904	powershell.exe
3116	powershell.exe
3116	powershell.exe
2836	powershell.exe
2836	powershell.exe
3056	powershell.exe
3056	powershell.exe
4668	powershell.exe
4668	powershell.exe
2980	powershell.exe
2980	powershell.exe
1584	powershell.exe
1584	powershell.exe
3056	powershell.exe
2088	powershell.exe
2772	powershell.exe
2772	powershell.exe
3124	powershell.exe
3904	powershell.exe
1140	powershell.exe
3116	powershell.exe
2980	powershell.exe
2836	powershell.exe
1584	powershell.exe
4668	powershell.exe
2772	powershell.exe
1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
3336	powershell.exe
3336	powershell.exe
1604	powershell.exe
1604	powershell.exe
4100	powershell.exe
4100	powershell.exe
4636	powershell.exe
4636	powershell.exe
2872	powershell.exe
2872	powershell.exe
1592	powershell.exe
1592	powershell.exe
2952	powershell.exe
2952	powershell.exe
3564	powershell.exe
3564	powershell.exe
1260	powershell.exe
1260	powershell.exe
1164	powershell.exe
1164	powershell.exe
652	powershell.exe
652	powershell.exe
1164	powershell.exe
3336	powershell.exe
4100	powershell.exe
4636	powershell.exe
1260	powershell.exe
2872	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Token: SeDebugPrivilege	3336	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	3368	sihost.exe
Token: SeDebugPrivilege	1416	sihost.exe
Token: SeDebugPrivilege	3692	sihost.exe
Token: SeDebugPrivilege	384	sihost.exe
Token: SeDebugPrivilege	3940	sihost.exe
Token: SeDebugPrivilege	2472	sihost.exe
Token: SeDebugPrivilege	1456	sihost.exe
Token: SeDebugPrivilege	4932	sihost.exe
Token: SeDebugPrivilege	4864	sihost.exe
Token: SeDebugPrivilege	1532	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3212	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	119
PID 4052 wrote to memory of 3212	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	119
PID 4052 wrote to memory of 3212	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	119
PID 3212 wrote to memory of 3292	3212	tmp8754.tmp.exe	121
PID 3212 wrote to memory of 3292	3212	tmp8754.tmp.exe	121
PID 3212 wrote to memory of 3292	3212	tmp8754.tmp.exe	121
PID 3212 wrote to memory of 3292	3212	tmp8754.tmp.exe	121
PID 3212 wrote to memory of 3292	3212	tmp8754.tmp.exe	121
PID 3212 wrote to memory of 3292	3212	tmp8754.tmp.exe	121
PID 3212 wrote to memory of 3292	3212	tmp8754.tmp.exe	121
PID 4052 wrote to memory of 2772	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	124
PID 4052 wrote to memory of 2772	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	124
PID 4052 wrote to memory of 3904	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	125
PID 4052 wrote to memory of 3904	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	125
PID 4052 wrote to memory of 3056	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	126
PID 4052 wrote to memory of 3056	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	126
PID 4052 wrote to memory of 3124	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	127
PID 4052 wrote to memory of 3124	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	127
PID 4052 wrote to memory of 1584	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	129
PID 4052 wrote to memory of 1584	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	129
PID 4052 wrote to memory of 3116	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	130
PID 4052 wrote to memory of 3116	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	130
PID 4052 wrote to memory of 2836	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	131
PID 4052 wrote to memory of 2836	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	131
PID 4052 wrote to memory of 1140	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	132
PID 4052 wrote to memory of 1140	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	132
PID 4052 wrote to memory of 2980	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	133
PID 4052 wrote to memory of 2980	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	133
PID 4052 wrote to memory of 2088	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	134
PID 4052 wrote to memory of 2088	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	134
PID 4052 wrote to memory of 4668	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	135
PID 4052 wrote to memory of 4668	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	135
PID 4052 wrote to memory of 1576	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	146
PID 4052 wrote to memory of 1576	4052	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	146
PID 1576 wrote to memory of 2872	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	155
PID 1576 wrote to memory of 2872	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	155
PID 1576 wrote to memory of 4100	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	156
PID 1576 wrote to memory of 4100	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	156
PID 1576 wrote to memory of 652	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	157
PID 1576 wrote to memory of 652	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	157
PID 1576 wrote to memory of 1164	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	158
PID 1576 wrote to memory of 1164	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	158
PID 1576 wrote to memory of 4636	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	159
PID 1576 wrote to memory of 4636	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	159
PID 1576 wrote to memory of 1604	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	160
PID 1576 wrote to memory of 1604	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	160
PID 1576 wrote to memory of 3336	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	161
PID 1576 wrote to memory of 3336	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	161
PID 1576 wrote to memory of 1592	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	162
PID 1576 wrote to memory of 1592	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	162
PID 1576 wrote to memory of 1260	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	163
PID 1576 wrote to memory of 1260	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	163
PID 1576 wrote to memory of 3564	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	164
PID 1576 wrote to memory of 3564	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	164
PID 1576 wrote to memory of 2952	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	165
PID 1576 wrote to memory of 2952	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	165
PID 1576 wrote to memory of 5052	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	177
PID 1576 wrote to memory of 5052	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	177
PID 1576 wrote to memory of 5052	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	177
PID 1576 wrote to memory of 3368	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	179
PID 1576 wrote to memory of 3368	1576	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe	179
PID 5052 wrote to memory of 4248	5052	tmpA921.tmp.exe	180
PID 5052 wrote to memory of 4248	5052	tmpA921.tmp.exe	180
PID 5052 wrote to memory of 4248	5052	tmpA921.tmp.exe	180

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sihost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
"C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4052
- C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe
  "C:\Users\Admin\AppData\Local\Temp\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA921.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4248
- - C:\Users\Admin\Searches\sihost.exe
    "C:\Users\Admin\Searches\sihost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3368
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e2c8be0-ac57-490e-905b-eebd46554b9e.vbs"
      4⤵
      PID:1168
    - - C:\Users\Admin\Searches\sihost.exe
        
        C:\Users\Admin\Searches\sihost.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1416
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6acd2691-f044-4581-a343-9bf5db782544.vbs"
        6⤵
        
        PID:1948
        
        C:\Users\Admin\Searches\sihost.exe
        
        C:\Users\Admin\Searches\sihost.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb1f49e1-745d-41bb-b2a1-5a1b5394f778.vbs"
        8⤵
        
        PID:3040
        
        C:\Users\Admin\Searches\sihost.exe
        
        C:\Users\Admin\Searches\sihost.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef7ca4ca-4f60-4fdf-a915-d7a31b0fd49d.vbs"
        10⤵
        
        PID:4840
        
        C:\Users\Admin\Searches\sihost.exe
        
        C:\Users\Admin\Searches\sihost.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\194b37d3-a4a9-4bec-a823-a0ac02d2279d.vbs"
        12⤵
        
        PID:4336
        
        C:\Users\Admin\Searches\sihost.exe
        
        C:\Users\Admin\Searches\sihost.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ceb08c1d-238f-4551-afe5-267de991b2fb.vbs"
        14⤵
        
        PID:4972
        
        C:\Users\Admin\Searches\sihost.exe
        
        C:\Users\Admin\Searches\sihost.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61f640cd-8a01-4c52-abed-3f4f4b9b7d42.vbs"
        16⤵
        
        PID:3356
        
        C:\Users\Admin\Searches\sihost.exe
        
        C:\Users\Admin\Searches\sihost.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd08280d-7e46-4d4a-bca5-ea3f0f093ee2.vbs"
        18⤵
        
        PID:3148
        
        C:\Users\Admin\Searches\sihost.exe
        
        C:\Users\Admin\Searches\sihost.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c462a84-44b3-4384-b6c1-fcc6f175c686.vbs"
        20⤵
        
        PID:1940
        
        C:\Users\Admin\Searches\sihost.exe
        
        C:\Users\Admin\Searches\sihost.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\269b0063-7dd0-48c8-ae19-063bc75c828c.vbs"
        22⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a12519-0cf1-4f61-a330-113543cf3463.vbs"
        22⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp30AB.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b837504-bc5e-4a8e-b5a9-c07971e78c84.vbs"
        20⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFFA8.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\426e46b7-7432-410d-a941-775bb922f476.vbs"
        18⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCEE4.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9e73cb3-fc7f-4c53-aa2a-ef1ecb9dbe19.vbs"
        16⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22580c65-f876-4577-9521-f8b53f6150e3.vbs"
        14⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8316.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9edadea-5d77-417f-8df5-c67fb1b02008.vbs"
        12⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5213.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5001a5d5-8591-42b3-b8ec-1c1f49e7717d.vbs"
        10⤵
        
        PID:3896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51eec009-7f10-46ea-acde-434fe204b022.vbs"
        8⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A49.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4508
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03522d5a-d680-476d-8b8f-597cbe74c35f.vbs"
        6⤵
        
        PID:2112
      - C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE88B.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4536
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17553b89-00ce-4f20-93ff-f9a6ef4381b1.vbs"
      4⤵
      PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1820
    - - C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB779.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemResources\Windows.UI.Cred\pris\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Oracle\Java\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Searches\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
4.9MB

MD5
0f810e60bd97e1197c9243549d36d0b0

SHA1
ad185690f90853a15eae667f6ca3f68031ce5764

SHA256
7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4

SHA512
4277e074e50e9b46f2bde6f1565569f2ffc3f20f275ef8fb24a5a457d18633531d322b39380d24ee9c118e1e714dcce4f8d4c969ea331455f5f85e9db13052e3

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
4.9MB

MD5
d137d70bf1b6722ae9afa1f8bd43619f

SHA1
8f6de2914d1e5e5afa1e9a71996f10d7aa068187

SHA256
30ad354cd7c248ee62fa1a44fc2239a16b3776efb21366371bb2e2af6af16208

SHA512
aad4cc657efad80821c6d9072bcddbb21403268f6a8042f38bcad53a50f6154afec254aecccc23fb94fbfb697483be92d1982c57826ecf849bc337604d63e7d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7fea2d36f7a41fb2da182d41442e0d9a77b159a0f0a300e94bf50268b9f6abf4N.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0e3b2b9cedce914db7c2e08d42c9e84a

SHA1
2fc57892471fd55556d3b82c6137247b1e9781ca

SHA256
9948769e7c25688af17c7146f7ce8ba25356b615fa9372ab4cdaf0dc21b84747

SHA512
6c61be0aae1c0ef263dc71eeb02b46f252eff319957034d7aeaf2b7d37e8cf870be0519cc310b3d8b86452bc98d63afefe6640cb50b76e238f4fedf171c67d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
815f9e54d2e55a6cd87a044f75fdba0c

SHA1
9e2c91b5d015a2f96539227ed0a5d83cf26f6c08

SHA256
ec7d07723ca9c032e3662c0a316318065854ed4dc54106a5214278cbd148e75f

SHA512
9198d94b9d3ef35693881e3dc3e1c7f4b42d98f23a27f58cec67309628504de6940f0ac58bff1de2923b9d1b2dd11be82ea98bad9419d2e22f610df01c7401a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9a7f35c006bbf5da72f9cb250ffbddb

SHA1
458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

SHA256
a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

SHA512
d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dcee2c4799aaf7d786c7a18e235934c4

SHA1
92b08222812d2c4392cd5babf316c6509a1d202c

SHA256
33fb8b90e373768d57f2726dc808e2a6319dcea75ed4be819316a4bc3c2f85c1

SHA512
05986414ab12b9b52335528dc4dc1ef6fee378afa09a2858b0ea77cb0c9aaf4339ccae272bbc760ff63d31ad27e8a8206ae0152be82015f49c177cb62b515f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
057e7742b25e65a341d1341da25b54a8

SHA1
65c874ac4f429a4172bdf89a73922e39873ecab6

SHA256
f8cf996545599e442f94820af5c724fca27d22de96bcef6aa308d0520c3a1468

SHA512
94b461e3705336b9ebf10df506f4a436cee20ac60540cfb6fd2f36c48e011836bf1f9e3f00e5b254ad6e6f1338a976dba495d398b4459687f518e815afde04e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\17553b89-00ce-4f20-93ff-f9a6ef4381b1.vbs

Filesize
486B

MD5
abd8287cf89a2e3bdfb2c68b74db94c4

SHA1
01accab0b9211c4169733832a9b51014cfd40027

SHA256
39a093a32d56a8153e15323ae5abe6117863a36d00854d70ab395420bd5ed989

SHA512
38db5136deaad8f7ba0a4a847f20912f5b43bdf52903aec95a60f000f59962de3c2daaaceb2a9167b63d9b26033c502cb021afa43b3a40952279247168c930c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\194b37d3-a4a9-4bec-a823-a0ac02d2279d.vbs

Filesize
710B

MD5
0224486e3a974027b60edc4f5c1e143f

SHA1
c47e6c05d5d65de7d4ea98f93531a84bcfabf716

SHA256
ca58a70804a07826e15042426e4b578065c76f63921b3341a65cd6489a1be7aa

SHA512
3dd5d572149f8d488b87f23667d8529b2d3226d65c8e111d9caf244f84af632adda0261645f3924b35fe84c982c74fb6d99c623d083a99620d9c5c531ae6a8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e2c8be0-ac57-490e-905b-eebd46554b9e.vbs

Filesize
710B

MD5
7ceb18f80af1a46c5a7d7d99034c4aa3

SHA1
887f9f395f7fa16b1c7e81214d1bab1a55b4e8d3

SHA256
1e2301e0c0a2f00812f245636f55812d4cfe10d50d14515af8355ac166dffcdd

SHA512
d4e78a7edfbff69e0b98af41d1c7896b9f8fc25a0f31ae2c6d137e8453b2c94a88d738e549dea3485aa085bd4fd38417b1d99f1a8fc7863f0800de641f7233f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6acd2691-f044-4581-a343-9bf5db782544.vbs

Filesize
710B

MD5
4d56e0b6434434ea5e5fa0fe1df2042a

SHA1
6b4fa61a2768c8ba4679534465624cc441eaefb2

SHA256
59fbcea390c97d4980f4ba3b6ac06f666a9632888e906d296d1d03f26961f303

SHA512
b1161666aa614c1395b59bdfb890749f23860038ae6cc171c97cfee7ca18175b28c2df82ef7642e3ebcd400ed03923b5f5cc64cdd9cda8edcdb73c5afe977ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q20mla25.juw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb1f49e1-745d-41bb-b2a1-5a1b5394f778.vbs

Filesize
710B

MD5
c69c2a0e215cc06aa47d87ad7b42da1f

SHA1
c27c8079c90acda269056880d8196fa8b4133f1b

SHA256
ef4c78a8683077f311250f480a26396ca1e4ad0efba933e0b60851048d8db486

SHA512
2e36ade17de2062894dfe4537eb1ca72c9fe5f59a42af360607efe7022a736a86c6e578a400550f2afcc9855783e334c10e3e1637e0eb6f9bb0a4a81b3423edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef7ca4ca-4f60-4fdf-a915-d7a31b0fd49d.vbs

Filesize
709B

MD5
af9b79eb1c74c2ac9f21110b4a269fd6

SHA1
bfff537542cc7e8c1d92151bf9d3d3e11aef2e5c

SHA256
9ff29bd67e11c03168b205fdce0b3e80bc55885d76aba2d647db4ffb7c647648

SHA512
c429a4b93081f12f39412215de398e422ebdc7dcf68ea52202e66f1825900820fc5d7e87f24a037444f2ef244308375868a5a3e24d56ebcbddaa1bb79a96e3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8754.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/1416-470-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

Filesize
72KB

Download
memory/2088-122-0x000002421E810000-0x000002421E832000-memory.dmp

Filesize
136KB

Download
memory/2472-551-0x0000000003700000-0x0000000003712000-memory.dmp

Filesize
72KB

Download
memory/3292-71-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4052-11-0x000000001BFB0000-0x000000001BFC2000-memory.dmp

Filesize
72KB

Download
memory/4052-8-0x000000001BF80000-0x000000001BF96000-memory.dmp

Filesize
88KB

Download
memory/4052-14-0x000000001C020000-0x000000001C02E000-memory.dmp

Filesize
56KB

Download
memory/4052-15-0x000000001C870000-0x000000001C87E000-memory.dmp

Filesize
56KB

Download
memory/4052-12-0x000000001CDA0000-0x000000001D2C8000-memory.dmp

Filesize
5.2MB

Download
memory/4052-18-0x000000001C9A0000-0x000000001C9AC000-memory.dmp

Filesize
48KB

Download
memory/4052-10-0x000000001BFA0000-0x000000001BFAA000-memory.dmp

Filesize
40KB

Download
memory/4052-6-0x00000000033D0000-0x00000000033D8000-memory.dmp

Filesize
32KB

Download
memory/4052-9-0x0000000003450000-0x0000000003460000-memory.dmp

Filesize
64KB

Download
memory/4052-13-0x000000001BFC0000-0x000000001BFCA000-memory.dmp

Filesize
40KB

Download
memory/4052-7-0x0000000003440000-0x0000000003450000-memory.dmp

Filesize
64KB

Download
memory/4052-5-0x000000001BFD0000-0x000000001C020000-memory.dmp

Filesize
320KB

Download
memory/4052-4-0x00000000033B0000-0x00000000033CC000-memory.dmp

Filesize
112KB

Download
memory/4052-3-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4052-17-0x000000001C890000-0x000000001C898000-memory.dmp

Filesize
32KB

Download
memory/4052-2-0x000000001C140000-0x000000001C26E000-memory.dmp

Filesize
1.2MB

Download
memory/4052-223-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

Filesize
10.8MB

Download
memory/4052-16-0x000000001C880000-0x000000001C888000-memory.dmp

Filesize
32KB

Download
memory/4052-1-0x0000000000E00000-0x00000000012F4000-memory.dmp

Filesize
5.0MB

Download
memory/4052-0-0x00007FFA1ADC3000-0x00007FFA1ADC5000-memory.dmp

Filesize
8KB

Download