Analysis
-
max time kernel
108s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 20:53
Static task
static1
Behavioral task
behavioral1
Sample
31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe
Resource
win7-20240729-en
General
-
Target
31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe
-
Size
4.9MB
-
MD5
87d29654a3f89b1adc596d2ef22f94dd
-
SHA1
28b9d0678b858302d9a6b8737fd094ff0ee59308
-
SHA256
31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be
-
SHA512
3d8db28ba156c13e865ec24e34e38326fe90e64499e8be9fde05a46d7278c8ea431e2f702a69ede893d220331becea9871f278c8809820b9772fc1f033fa05f9
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4868 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3380 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 964 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4416 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3680 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4372 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4472 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4480 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3076 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 2980 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 2980 schtasks.exe 85 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found -
resource yara_rule behavioral2/memory/2948-2-0x000000001B850000-0x000000001B97E000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4464 powershell.exe 4428 powershell.exe 1880 powershell.exe 4740 powershell.exe 3932 powershell.exe 4452 powershell.exe 400 powershell.exe 2296 powershell.exe 2072 powershell.exe 4204 powershell.exe 2444 powershell.exe -
Checks computer location settings 2 TTPs 11 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation TextInputHost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1232 tmpDB8E.tmp.exe 1648 tmpDB8E.tmp.exe 2492 TextInputHost.exe 4676 tmpFC13.tmp.exe 2620 tmpFC13.tmp.exe 4680 tmpFC13.tmp.exe 3240 TextInputHost.exe 2600 TextInputHost.exe 4088 tmp4FE0.tmp.exe 2624 tmp4FE0.tmp.exe 3644 tmp4FE0.tmp.exe 4236 tmp4FE0.tmp.exe 1756 tmp4FE0.tmp.exe 4192 tmp4FE0.tmp.exe 3580 tmp4FE0.tmp.exe 1632 tmp4FE0.tmp.exe 400 tmp4FE0.tmp.exe 3828 tmp4FE0.tmp.exe 4312 tmp4FE0.tmp.exe 4688 tmp4FE0.tmp.exe 4416 tmp4FE0.tmp.exe 924 tmp4FE0.tmp.exe 964 tmp4FE0.tmp.exe 456 tmp4FE0.tmp.exe 4900 tmp4FE0.tmp.exe 4372 tmp4FE0.tmp.exe 1332 tmp4FE0.tmp.exe 220 tmp4FE0.tmp.exe 4984 tmp4FE0.tmp.exe 4384 tmp4FE0.tmp.exe 4940 tmp4FE0.tmp.exe 4792 tmp4FE0.tmp.exe 1400 tmp4FE0.tmp.exe 1172 tmp4FE0.tmp.exe 2732 tmp4FE0.tmp.exe 1336 tmp4FE0.tmp.exe 4620 tmp4FE0.tmp.exe 1092 tmp4FE0.tmp.exe 3700 tmp4FE0.tmp.exe 1244 tmp4FE0.tmp.exe 2976 tmp4FE0.tmp.exe 1568 tmp4FE0.tmp.exe 2708 tmp4FE0.tmp.exe 2952 tmp4FE0.tmp.exe 3412 tmp4FE0.tmp.exe 2504 tmp4FE0.tmp.exe 4408 tmp4FE0.tmp.exe 5044 tmp4FE0.tmp.exe 4992 tmp4FE0.tmp.exe 4064 tmp4FE0.tmp.exe 4604 tmp4FE0.tmp.exe 4960 tmp4FE0.tmp.exe 2572 tmp4FE0.tmp.exe 4424 tmp4FE0.tmp.exe 4740 tmp4FE0.tmp.exe 4532 tmp4FE0.tmp.exe 1856 tmp4FE0.tmp.exe 2500 tmp4FE0.tmp.exe 2444 tmp4FE0.tmp.exe 376 tmp4FE0.tmp.exe 5004 tmp4FE0.tmp.exe 924 tmp4FE0.tmp.exe 3940 tmp4FE0.tmp.exe 224 tmp4FE0.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextInputHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 1232 set thread context of 1648 1232 tmpDB8E.tmp.exe 116 PID 2620 set thread context of 4680 2620 tmpFC13.tmp.exe 155 PID 1140 set thread context of 1740 1140 tmp8095.tmp.exe 1036 PID 4464 set thread context of 872 4464 Process not Found 1946 PID 4396 set thread context of 4464 4396 Process not Found 2692 PID 1632 set thread context of 4372 1632 Process not Found 3801 PID 4704 set thread context of 3948 4704 Process not Found 3968 PID 3644 set thread context of 1188 3644 Process not Found 3416 -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCXE48B.tmp 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Program Files\WindowsPowerShell\SearchApp.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\RCXD979.tmp 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Program Files\Windows NT\TableTextService\en-US\886983d96e3d3e 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Program Files\WindowsPowerShell\38384e6a620884 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Program Files\WindowsPowerShell\RCXE950.tmp 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Program Files\WindowsPowerShell\SearchApp.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\7a0fd90576e088 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DPX\services.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Windows\Containers\serviced\TextInputHost.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Windows\Containers\serviced\22eafd247d37c3 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Windows\Logs\DPX\services.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File created C:\Windows\Logs\DPX\c5b4cb5e9653cc 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Windows\Containers\serviced\RCXDDB2.tmp 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Windows\Containers\serviced\TextInputHost.exe 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe File opened for modification C:\Windows\Logs\DPX\RCXDFD6.tmp 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FE0.tmp.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings TextInputHost.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings Process not Found -
Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4480 schtasks.exe 3380 schtasks.exe 1436 schtasks.exe 4688 schtasks.exe 964 schtasks.exe 2004 schtasks.exe 3680 schtasks.exe 2820 schtasks.exe 4400 schtasks.exe 1796 schtasks.exe 1520 schtasks.exe 4868 schtasks.exe 4888 schtasks.exe 4524 schtasks.exe 2492 schtasks.exe 2684 schtasks.exe 4416 schtasks.exe 4340 schtasks.exe 4372 schtasks.exe 3076 schtasks.exe 4608 schtasks.exe 1684 schtasks.exe 796 schtasks.exe 4472 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 4428 powershell.exe 4428 powershell.exe 2072 powershell.exe 2072 powershell.exe 1880 powershell.exe 1880 powershell.exe 2444 powershell.exe 2444 powershell.exe 2296 powershell.exe 2296 powershell.exe 4452 powershell.exe 4452 powershell.exe 4204 powershell.exe 4204 powershell.exe 400 powershell.exe 400 powershell.exe 4464 powershell.exe 4464 powershell.exe 4740 powershell.exe 4740 powershell.exe 2444 powershell.exe 3932 powershell.exe 3932 powershell.exe 2072 powershell.exe 4428 powershell.exe 1880 powershell.exe 4452 powershell.exe 2296 powershell.exe 4464 powershell.exe 4740 powershell.exe 4204 powershell.exe 400 powershell.exe 3932 powershell.exe 2492 TextInputHost.exe 2492 TextInputHost.exe 3240 TextInputHost.exe 2600 TextInputHost.exe 4100 TextInputHost.exe 4688 Process not Found 3188 Process not Found 5080 Process not Found 824 Process not Found 2696 Process not Found 4792 Process not Found -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Token: SeDebugPrivilege 4428 powershell.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 4204 powershell.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 4464 powershell.exe Token: SeDebugPrivilege 3932 powershell.exe Token: SeDebugPrivilege 2492 TextInputHost.exe Token: SeDebugPrivilege 3240 TextInputHost.exe Token: SeDebugPrivilege 2600 TextInputHost.exe Token: SeDebugPrivilege 4100 TextInputHost.exe Token: SeDebugPrivilege 4688 Process not Found Token: SeDebugPrivilege 3188 Process not Found Token: SeDebugPrivilege 5080 Process not Found Token: SeDebugPrivilege 824 Process not Found Token: SeDebugPrivilege 2696 Process not Found Token: SeDebugPrivilege 4792 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 1232 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 114 PID 2948 wrote to memory of 1232 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 114 PID 2948 wrote to memory of 1232 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 114 PID 1232 wrote to memory of 1648 1232 tmpDB8E.tmp.exe 116 PID 1232 wrote to memory of 1648 1232 tmpDB8E.tmp.exe 116 PID 1232 wrote to memory of 1648 1232 tmpDB8E.tmp.exe 116 PID 1232 wrote to memory of 1648 1232 tmpDB8E.tmp.exe 116 PID 1232 wrote to memory of 1648 1232 tmpDB8E.tmp.exe 116 PID 1232 wrote to memory of 1648 1232 tmpDB8E.tmp.exe 116 PID 1232 wrote to memory of 1648 1232 tmpDB8E.tmp.exe 116 PID 2948 wrote to memory of 3932 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 122 PID 2948 wrote to memory of 3932 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 122 PID 2948 wrote to memory of 4464 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 123 PID 2948 wrote to memory of 4464 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 123 PID 2948 wrote to memory of 4452 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 124 PID 2948 wrote to memory of 4452 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 124 PID 2948 wrote to memory of 400 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 125 PID 2948 wrote to memory of 400 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 125 PID 2948 wrote to memory of 4428 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 126 PID 2948 wrote to memory of 4428 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 126 PID 2948 wrote to memory of 1880 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 127 PID 2948 wrote to memory of 1880 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 127 PID 2948 wrote to memory of 2296 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 128 PID 2948 wrote to memory of 2296 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 128 PID 2948 wrote to memory of 2072 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 129 PID 2948 wrote to memory of 2072 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 129 PID 2948 wrote to memory of 4204 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 130 PID 2948 wrote to memory of 4204 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 130 PID 2948 wrote to memory of 4740 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 131 PID 2948 wrote to memory of 4740 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 131 PID 2948 wrote to memory of 2444 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 132 PID 2948 wrote to memory of 2444 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 132 PID 2948 wrote to memory of 2492 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 144 PID 2948 wrote to memory of 2492 2948 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe 144 PID 2492 wrote to memory of 4676 2492 TextInputHost.exe 150 PID 2492 wrote to memory of 4676 2492 TextInputHost.exe 150 PID 2492 wrote to memory of 4676 2492 TextInputHost.exe 150 PID 2492 wrote to memory of 1224 2492 TextInputHost.exe 151 PID 2492 wrote to memory of 1224 2492 TextInputHost.exe 151 PID 2492 wrote to memory of 3256 2492 TextInputHost.exe 153 PID 2492 wrote to memory of 3256 2492 TextInputHost.exe 153 PID 4676 wrote to memory of 2620 4676 tmpFC13.tmp.exe 154 PID 4676 wrote to memory of 2620 4676 tmpFC13.tmp.exe 154 PID 4676 wrote to memory of 2620 4676 tmpFC13.tmp.exe 154 PID 2620 wrote to memory of 4680 2620 tmpFC13.tmp.exe 155 PID 2620 wrote to memory of 4680 2620 tmpFC13.tmp.exe 155 PID 2620 wrote to memory of 4680 2620 tmpFC13.tmp.exe 155 PID 2620 wrote to memory of 4680 2620 tmpFC13.tmp.exe 155 PID 2620 wrote to memory of 4680 2620 tmpFC13.tmp.exe 155 PID 2620 wrote to memory of 4680 2620 tmpFC13.tmp.exe 155 PID 2620 wrote to memory of 4680 2620 tmpFC13.tmp.exe 155 PID 1224 wrote to memory of 3240 1224 WScript.exe 158 PID 1224 wrote to memory of 3240 1224 WScript.exe 158 PID 3240 wrote to memory of 3228 3240 TextInputHost.exe 160 PID 3240 wrote to memory of 3228 3240 TextInputHost.exe 160 PID 3240 wrote to memory of 2436 3240 TextInputHost.exe 161 PID 3240 wrote to memory of 2436 3240 TextInputHost.exe 161 PID 3228 wrote to memory of 2600 3228 WScript.exe 165 PID 3228 wrote to memory of 2600 3228 WScript.exe 165 PID 2600 wrote to memory of 3280 2600 TextInputHost.exe 167 PID 2600 wrote to memory of 3280 2600 TextInputHost.exe 167 PID 2600 wrote to memory of 3784 2600 TextInputHost.exe 168 PID 2600 wrote to memory of 3784 2600 TextInputHost.exe 168 PID 2600 wrote to memory of 4088 2600 TextInputHost.exe 169 -
System policy modification 1 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" TextInputHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe"C:\Users\Admin\AppData\Local\Temp\31dd679220aa53946f6d61d4799a94ecd1dfabee10d495b9425f1a5ae88637be.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\tmpDB8E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB8E.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\tmpDB8E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB8E.tmp.exe"3⤵
- Executes dropped EXE
PID:1648
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
C:\Windows\Containers\serviced\TextInputHost.exe"C:\Windows\Containers\serviced\TextInputHost.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\tmpFC13.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFC13.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\tmpFC13.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFC13.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\tmpFC13.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFC13.tmp.exe"5⤵
- Executes dropped EXE
PID:4680
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15a283c6-d588-4c89-b38f-3fbcb8dc5025.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\Containers\serviced\TextInputHost.exeC:\Windows\Containers\serviced\TextInputHost.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3240 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\250846a4-12b1-4388-9a26-8f96419d0367.vbs"5⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\Containers\serviced\TextInputHost.exeC:\Windows\Containers\serviced\TextInputHost.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2600 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21e37b01-8fd3-4f2a-be45-e22f5eb4f823.vbs"7⤵PID:3280
-
C:\Windows\Containers\serviced\TextInputHost.exeC:\Windows\Containers\serviced\TextInputHost.exe8⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4100 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7c06324-d987-44e5-a278-15b6fd1b05cf.vbs"9⤵PID:3108
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\654e090f-74a0-4a6d-aae4-d345bf289143.vbs"9⤵PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe"9⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe"10⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe"11⤵
- Suspicious use of SetThreadContext
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe"12⤵PID:1740
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1569832f-28a8-41cc-9abf-5903eae23247.vbs"7⤵PID:3784
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"7⤵
- Executes dropped EXE
PID:4088 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"8⤵
- Executes dropped EXE
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"9⤵
- Executes dropped EXE
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"10⤵
- Executes dropped EXE
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"11⤵
- Executes dropped EXE
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"12⤵
- Executes dropped EXE
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"13⤵
- Executes dropped EXE
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"14⤵
- Executes dropped EXE
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"15⤵
- Executes dropped EXE
PID:400 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"16⤵
- Executes dropped EXE
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"17⤵
- Executes dropped EXE
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"18⤵
- Executes dropped EXE
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"19⤵
- Executes dropped EXE
PID:4416 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"20⤵
- Executes dropped EXE
PID:924 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"21⤵
- Executes dropped EXE
PID:964 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"22⤵
- Executes dropped EXE
PID:456 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"23⤵
- Executes dropped EXE
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"24⤵
- Executes dropped EXE
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"25⤵
- Executes dropped EXE
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"26⤵
- Executes dropped EXE
PID:220 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"27⤵
- Executes dropped EXE
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"28⤵
- Executes dropped EXE
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"29⤵
- Executes dropped EXE
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"30⤵
- Executes dropped EXE
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"31⤵
- Executes dropped EXE
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"32⤵
- Executes dropped EXE
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"33⤵
- Executes dropped EXE
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"34⤵
- Executes dropped EXE
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"35⤵
- Executes dropped EXE
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"36⤵
- Executes dropped EXE
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"37⤵
- Executes dropped EXE
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"38⤵
- Executes dropped EXE
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"39⤵
- Executes dropped EXE
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"40⤵
- Executes dropped EXE
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"41⤵
- Executes dropped EXE
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"42⤵
- Executes dropped EXE
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"43⤵
- Executes dropped EXE
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"44⤵
- Executes dropped EXE
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"45⤵
- Executes dropped EXE
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"46⤵
- Executes dropped EXE
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"47⤵
- Executes dropped EXE
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"48⤵
- Executes dropped EXE
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"49⤵
- Executes dropped EXE
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"51⤵
- Executes dropped EXE
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"52⤵
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"53⤵
- Executes dropped EXE
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"54⤵
- Executes dropped EXE
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"55⤵
- Executes dropped EXE
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"56⤵
- Executes dropped EXE
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"57⤵
- Executes dropped EXE
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"58⤵
- Executes dropped EXE
PID:376 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"59⤵
- Executes dropped EXE
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"60⤵
- Executes dropped EXE
PID:924 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"61⤵
- Executes dropped EXE
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"62⤵
- Executes dropped EXE
PID:224 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"63⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"64⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"65⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"66⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"67⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"68⤵PID:708
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"69⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"70⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"71⤵PID:4448
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"72⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"73⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"74⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"75⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"76⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"77⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"78⤵PID:636
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"79⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"80⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"81⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"82⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"83⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"84⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"85⤵PID:4852
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"86⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"87⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"88⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"89⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"90⤵
- System Location Discovery: System Language Discovery
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"91⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"92⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"93⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"94⤵
- System Location Discovery: System Language Discovery
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"95⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"96⤵PID:664
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"97⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"98⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"99⤵PID:4752
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"100⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"101⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"102⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"103⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"104⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"105⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"106⤵PID:4464
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"107⤵PID:4760
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"108⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"109⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"110⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"111⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"112⤵PID:1848
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"113⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"114⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"115⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"116⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"117⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"118⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"119⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"120⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"121⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FE0.tmp.exe"122⤵PID:3968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-