colibri | bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec

Analysis

max time kernel
119s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Size

4.9MB
MD5

a521b23108ca72a0a8e837bb4bc6c309
SHA1

a80623d726004b9c0086377c19f822a67af0c490
SHA256

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec
SHA512

33835665ab96cb1d5ffe46fa6706e519c8314c6280967c18a265d1ceaae625691c3a65cc90a15cac48386a22162aa9631fcc0024360fff6970a76ed98cc0d21e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8r:j

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	508	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	508	schtasks.exe	82

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2604-3-0x000000001B840000-0x000000001B96E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe
3208	powershell.exe
4348	powershell.exe
4364	powershell.exe
4400	powershell.exe
2128	powershell.exe
1252	powershell.exe
1536	powershell.exe
1396	powershell.exe
1824	powershell.exe
1192	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 34 IoCs

pid	Process
4504	tmp9210.tmp.exe
3680	tmp9210.tmp.exe
4404	tmp9210.tmp.exe
3292	tmp9210.tmp.exe
3248	tmp9210.tmp.exe
2500	OfficeClickToRun.exe
1576	tmpC091.tmp.exe
4036	tmpC091.tmp.exe
1920	OfficeClickToRun.exe
3912	OfficeClickToRun.exe
3224	tmpFCAF.tmp.exe
3636	tmpFCAF.tmp.exe
1016	OfficeClickToRun.exe
208	tmp2D74.tmp.exe
3376	tmp2D74.tmp.exe
3412	OfficeClickToRun.exe
3292	tmp73E3.tmp.exe
4708	tmp73E3.tmp.exe
4292	tmp73E3.tmp.exe
448	OfficeClickToRun.exe
3224	tmpA5FF.tmp.exe
1668	tmpA5FF.tmp.exe
4980	OfficeClickToRun.exe
4860	tmpC261.tmp.exe
3604	tmpC261.tmp.exe
4712	OfficeClickToRun.exe
4496	tmpF4FA.tmp.exe
3292	tmpF4FA.tmp.exe
2216	OfficeClickToRun.exe
1836	tmp25CE.tmp.exe
4832	tmp25CE.tmp.exe
3424	OfficeClickToRun.exe
1656	tmp426E.tmp.exe
1144	tmp426E.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 3292 set thread context of 3248	3292	tmp9210.tmp.exe	129
PID 1576 set thread context of 4036	1576	tmpC091.tmp.exe	161
PID 3224 set thread context of 3636	3224	tmpFCAF.tmp.exe	171
PID 208 set thread context of 3376	208	tmp2D74.tmp.exe	178
PID 4708 set thread context of 4292	4708	tmp73E3.tmp.exe	185
PID 3224 set thread context of 1668	3224	tmpA5FF.tmp.exe	191
PID 4860 set thread context of 3604	4860	tmpC261.tmp.exe	197
PID 4496 set thread context of 3292	4496	tmpF4FA.tmp.exe	203
PID 1836 set thread context of 4832	1836	tmp25CE.tmp.exe	209
PID 1656 set thread context of 1144	1656	tmp426E.tmp.exe	215

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\en-US\38384e6a620884	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files\7-Zip\bee0cf49df1c26	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXA0DD.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fontdrvhost.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files\dotnet\lsass.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCX9369.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files\Windows Defender\en-US\SearchApp.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files\Windows Multimedia Platform\55b276f4edf653	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files\dotnet\6203df4a6bafc7	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\SearchApp.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX9792.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files\dotnet\RCXA2F1.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files\dotnet\lsass.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Defender\fontdrvhost.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Defender\5b884080fd4f94	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files\7-Zip\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files\7-Zip\RCXA813.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files\7-Zip\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\e6c9b481da804f	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Windows\ja-JP\services.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Windows\ja-JP\c5b4cb5e9653cc	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\RCX9115.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Windows\ja-JP\RCXAA18.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Windows\ja-JP\services.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9210.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp73E3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp73E3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF4FA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9210.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC091.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA5FF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp25CE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9210.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9210.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFCAF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2D74.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC261.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp426E.tmp.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2016	schtasks.exe
4704	schtasks.exe
4456	schtasks.exe
768	schtasks.exe
3068	schtasks.exe
2000	schtasks.exe
3316	schtasks.exe
3416	schtasks.exe
3888	schtasks.exe
4244	schtasks.exe
4600	schtasks.exe
4748	schtasks.exe
1392	schtasks.exe
4432	schtasks.exe
2316	schtasks.exe
4228	schtasks.exe
2564	schtasks.exe
3728	schtasks.exe
2280	schtasks.exe
3580	schtasks.exe
1852	schtasks.exe
4888	schtasks.exe
4324	schtasks.exe
3704	schtasks.exe
1424	schtasks.exe
4516	schtasks.exe
2108	schtasks.exe
1308	schtasks.exe
3676	schtasks.exe
1428	schtasks.exe
3852	schtasks.exe
4744	schtasks.exe
1540	schtasks.exe
2136	schtasks.exe
2956	schtasks.exe
3548	schtasks.exe
1640	schtasks.exe
668	schtasks.exe
3556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
4348	powershell.exe
4348	powershell.exe
2128	powershell.exe
2128	powershell.exe
1192	powershell.exe
1192	powershell.exe
1824	powershell.exe
1824	powershell.exe
3004	powershell.exe
3004	powershell.exe
4364	powershell.exe
4364	powershell.exe
1536	powershell.exe
1536	powershell.exe
1396	powershell.exe
1396	powershell.exe
3208	powershell.exe
3208	powershell.exe
2128	powershell.exe
4400	powershell.exe
4400	powershell.exe
1252	powershell.exe
1252	powershell.exe
1396	powershell.exe
4348	powershell.exe
3004	powershell.exe
1536	powershell.exe
1824	powershell.exe
4400	powershell.exe
4364	powershell.exe
1192	powershell.exe
3208	powershell.exe
1252	powershell.exe
2500	OfficeClickToRun.exe
2500	OfficeClickToRun.exe
1920	OfficeClickToRun.exe
3912	OfficeClickToRun.exe
1016	OfficeClickToRun.exe
3412	OfficeClickToRun.exe
448	OfficeClickToRun.exe
4980	OfficeClickToRun.exe
4712	OfficeClickToRun.exe
2216	OfficeClickToRun.exe
3424	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2500	OfficeClickToRun.exe
Token: SeDebugPrivilege	1920	OfficeClickToRun.exe
Token: SeDebugPrivilege	3912	OfficeClickToRun.exe
Token: SeDebugPrivilege	1016	OfficeClickToRun.exe
Token: SeDebugPrivilege	3412	OfficeClickToRun.exe
Token: SeDebugPrivilege	448	OfficeClickToRun.exe
Token: SeDebugPrivilege	4980	OfficeClickToRun.exe
Token: SeDebugPrivilege	4712	OfficeClickToRun.exe
Token: SeDebugPrivilege	2216	OfficeClickToRun.exe
Token: SeDebugPrivilege	3424	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 4504	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	124
PID 2604 wrote to memory of 4504	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	124
PID 2604 wrote to memory of 4504	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	124
PID 4504 wrote to memory of 3680	4504	tmp9210.tmp.exe	126
PID 4504 wrote to memory of 3680	4504	tmp9210.tmp.exe	126
PID 4504 wrote to memory of 3680	4504	tmp9210.tmp.exe	126
PID 3680 wrote to memory of 4404	3680	tmp9210.tmp.exe	127
PID 3680 wrote to memory of 4404	3680	tmp9210.tmp.exe	127
PID 3680 wrote to memory of 4404	3680	tmp9210.tmp.exe	127
PID 4404 wrote to memory of 3292	4404	tmp9210.tmp.exe	128
PID 4404 wrote to memory of 3292	4404	tmp9210.tmp.exe	128
PID 4404 wrote to memory of 3292	4404	tmp9210.tmp.exe	128
PID 3292 wrote to memory of 3248	3292	tmp9210.tmp.exe	129
PID 3292 wrote to memory of 3248	3292	tmp9210.tmp.exe	129
PID 3292 wrote to memory of 3248	3292	tmp9210.tmp.exe	129
PID 3292 wrote to memory of 3248	3292	tmp9210.tmp.exe	129
PID 3292 wrote to memory of 3248	3292	tmp9210.tmp.exe	129
PID 3292 wrote to memory of 3248	3292	tmp9210.tmp.exe	129
PID 3292 wrote to memory of 3248	3292	tmp9210.tmp.exe	129
PID 2604 wrote to memory of 1536	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	134
PID 2604 wrote to memory of 1536	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	134
PID 2604 wrote to memory of 1252	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	135
PID 2604 wrote to memory of 1252	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	135
PID 2604 wrote to memory of 2128	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	136
PID 2604 wrote to memory of 2128	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	136
PID 2604 wrote to memory of 3004	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	137
PID 2604 wrote to memory of 3004	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	137
PID 2604 wrote to memory of 4400	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	138
PID 2604 wrote to memory of 4400	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	138
PID 2604 wrote to memory of 1192	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	139
PID 2604 wrote to memory of 1192	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	139
PID 2604 wrote to memory of 4364	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	140
PID 2604 wrote to memory of 4364	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	140
PID 2604 wrote to memory of 4348	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	141
PID 2604 wrote to memory of 4348	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	141
PID 2604 wrote to memory of 1824	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	142
PID 2604 wrote to memory of 1824	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	142
PID 2604 wrote to memory of 3208	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	143
PID 2604 wrote to memory of 3208	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	143
PID 2604 wrote to memory of 1396	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	144
PID 2604 wrote to memory of 1396	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	144
PID 2604 wrote to memory of 2500	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	156
PID 2604 wrote to memory of 2500	2604	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	156
PID 2500 wrote to memory of 4244	2500	OfficeClickToRun.exe	157
PID 2500 wrote to memory of 4244	2500	OfficeClickToRun.exe	157
PID 2500 wrote to memory of 1444	2500	OfficeClickToRun.exe	158
PID 2500 wrote to memory of 1444	2500	OfficeClickToRun.exe	158
PID 2500 wrote to memory of 1576	2500	OfficeClickToRun.exe	159
PID 2500 wrote to memory of 1576	2500	OfficeClickToRun.exe	159
PID 2500 wrote to memory of 1576	2500	OfficeClickToRun.exe	159
PID 1576 wrote to memory of 4036	1576	tmpC091.tmp.exe	161
PID 1576 wrote to memory of 4036	1576	tmpC091.tmp.exe	161
PID 1576 wrote to memory of 4036	1576	tmpC091.tmp.exe	161
PID 1576 wrote to memory of 4036	1576	tmpC091.tmp.exe	161
PID 1576 wrote to memory of 4036	1576	tmpC091.tmp.exe	161
PID 1576 wrote to memory of 4036	1576	tmpC091.tmp.exe	161
PID 1576 wrote to memory of 4036	1576	tmpC091.tmp.exe	161
PID 4244 wrote to memory of 1920	4244	WScript.exe	162
PID 4244 wrote to memory of 1920	4244	WScript.exe	162
PID 1920 wrote to memory of 528	1920	OfficeClickToRun.exe	163
PID 1920 wrote to memory of 528	1920	OfficeClickToRun.exe	163
PID 1920 wrote to memory of 3556	1920	OfficeClickToRun.exe	164
PID 1920 wrote to memory of 3556	1920	OfficeClickToRun.exe	164
PID 528 wrote to memory of 3912	528	WScript.exe	165

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
"C:\Users\Admin\AppData\Local\Temp\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2604
- C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3292
      - C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
  "C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a194563d-f72d-4f3c-8bb0-5c2ec8cac569.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
      C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0af48968-55db-48fd-8e29-611816ebd308.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:528
      - C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9970ea65-5eb4-424d-bee2-cc5c2f8d586f.vbs"
        7⤵
        
        PID:4396
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9625eb23-5db4-4420-82fc-28587bbba3f6.vbs"
        9⤵
        
        PID:1148
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0b65d0a-fc90-48e5-ba6d-e3d07ad7a389.vbs"
        11⤵
        
        PID:4968
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79f5b167-3d8c-43a1-8b9e-7980938b1909.vbs"
        13⤵
        
        PID:4600
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a24c7be-1dbc-4adb-823a-976165f6f7cd.vbs"
        15⤵
        
        PID:3512
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c31dc4e-38f8-4a19-8f2d-dbec66d14ca8.vbs"
        17⤵
        
        PID:3588
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7faa495-8abe-4e0d-a588-87e9af689a56.vbs"
        19⤵
        
        PID:5012
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        
        C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18c1a918-7f0d-4ccb-92aa-cf10617535c2.vbs"
        21⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cab5997-853e-4ce9-a4ef-167de4360c55.vbs"
        21⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmp426E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp426E.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp426E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp426E.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd35724f-5247-4fde-905c-ad510f9e8941.vbs"
        19⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp25CE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp25CE.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp25CE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp25CE.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a33d4e5-90e1-4435-aba4-f7a641cd9f60.vbs"
        17⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmpF4FA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF4FA.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmpF4FA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF4FA.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:3292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61c644d1-f611-451f-a2ea-7c9bd581fc27.vbs"
        15⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmpC261.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC261.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmpC261.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC261.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eeeffed-5664-4ec5-ba8e-2afcac05a9c2.vbs"
        13⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmpA5FF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA5FF.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmpA5FF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA5FF.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\208582f8-fa49-43af-9f02-c9ae1d092da1.vbs"
        11⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp73E3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp73E3.tmp.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp73E3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp73E3.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp73E3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp73E3.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\890e7962-aec8-4295-95d7-bc1ba699cc65.vbs"
        9⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp2D74.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2D74.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp2D74.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2D74.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1fe956d-12fe-4bac-8c02-f987413ec846.vbs"
        7⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmpFCAF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFCAF.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmpFCAF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFCAF.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:3636
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d304380-e330-4c68-b0f3-8e3e27ac53b2.vbs"
        5⤵
        
        PID:3556
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4389372-316e-4dd8-b917-c774ff8a0efa.vbs"
    3⤵
    PID:1444
- - C:\Users\Admin\AppData\Local\Temp\tmpC091.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC091.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\tmpC091.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC091.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\dotnet\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ecb" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec" /sc ONLOGON /tr "'C:\Program Files\7-Zip\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ecb" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\StartMenuExperienceHost.exe

Filesize
4.9MB

MD5
822dee5caa75f23c1d9e46d4070de343

SHA1
99fcd842ced3ade5543e5cf0d2280db315a5624b

SHA256
063f15deaf2abf0636701d69769b565afcd957b0307e7bd5e410b183aa5fdff7

SHA512
2e1147b6f9927d45cd59cfae9a4bd9adb763e4e621d1eaf82c42f612ff538384e8725632028c7043f8aefd2687d0bd5af648bc170a059b8cf72c2b6a9fbca3b2

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
4.9MB

MD5
a521b23108ca72a0a8e837bb4bc6c309

SHA1
a80623d726004b9c0086377c19f822a67af0c490

SHA256
bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec

SHA512
33835665ab96cb1d5ffe46fa6706e519c8314c6280967c18a265d1ceaae625691c3a65cc90a15cac48386a22162aa9631fcc0024360fff6970a76ed98cc0d21e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0af48968-55db-48fd-8e29-611816ebd308.vbs

Filesize
737B

MD5
dfe927b4a8af904f6714f8d7b76acf66

SHA1
03112e3f257abca3acb6a6ae93f5c649884dbbb2

SHA256
c85b42b40ab062c3d242e345e7cbaec3348bbd849ced5cd66f4acefab330e87c

SHA512
772364e2f4ad9063af892e1c750aa23d89084062ac56cd1522df541cad7dc0d567cbbc1e4efb4fc189e56107ac144c8446a256c67c272f34b52b27a56d39128b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a24c7be-1dbc-4adb-823a-976165f6f7cd.vbs

Filesize
737B

MD5
2fdc623d824647c9d63e1de7f9119b64

SHA1
4b86014813c61021add008dae7005d220aac80ff

SHA256
8581df3d83c6a5041bea5aac2289c0879324c8128d336cb206df1a2634adabb9

SHA512
5d02094da1b128a5f5d4d60fcc0af43213c59d1bee53f04e0a04adf47128ace0a34123484832ed89d0751ccc87abf0637c3716bb06f9d5f2e26762f09b433cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\79f5b167-3d8c-43a1-8b9e-7980938b1909.vbs

Filesize
736B

MD5
7cd9ea9f6a486b3bdf61432a86e26b00

SHA1
dbfc7b1d1f62e911eb1253794c4433c8b1f20a38

SHA256
a09a09bea33d0ee9982c1820cf10684de23b22582e0230f6e8f2a7887f454dfd

SHA512
32fc9d8856cc765eafda910cab26bc8d2ae2e2d378740d17820fed2505b66cb364b33ae9e76e4e7b28fb7b163abea7117577914635018c632eb9880d336b70f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9625eb23-5db4-4420-82fc-28587bbba3f6.vbs

Filesize
737B

MD5
83277d5f0028b18dffafe9663641c9bd

SHA1
4b13dbd2b2f6c06de5c8cea40e8fd31cfffbd6ec

SHA256
f3f78e1ee5bf4666f02fc3dc39c8d077767333cbb6ddc1dd0965153d05c3c688

SHA512
bae026db7947ba32e2ebb28849bb586b110ae6d5ad5c575f755abab58e525be6c535ea3b094de44c7a23518f8314ee860be0b0da4437d8d0b6bdd85e29b33529

Download Submit
C:\Users\Admin\AppData\Local\Temp\9970ea65-5eb4-424d-bee2-cc5c2f8d586f.vbs

Filesize
737B

MD5
b3c337d6e3938b587ad85b1116f708ef

SHA1
3c68ae8a0e87c6b8177cc9ac687b632f0f04f8fd

SHA256
7fcd1336c3eb23cfba25bbad4902901fd08ca1d4927d392c8861726b14273e3e

SHA512
c4df2ba732e5c1adea6d98bd62037b2dea3c9ca31f9fdfab9efbcb88438c0b2ba05b2fbc879209da2d390ee2751ce683014c18be4f5d3c742d7fe82778881582

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sofmlssi.mtt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a194563d-f72d-4f3c-8bb0-5c2ec8cac569.vbs

Filesize
737B

MD5
1395e992df49a9b61d3f61ee57e5c017

SHA1
7f2b093356b0374b0a20f995c07adec143f3895d

SHA256
5116848e1e935e66f04382a82ddd8a68edabb16d9355012b3953553337ff7a80

SHA512
95baae7e67b950a2858b61cd41f1df8c4a262f88ea4f61fa9fd233907165b80c96f0ca72a2794a1813c010290e728639428fe9bbddac79d61e65433b8f86b97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4389372-316e-4dd8-b917-c774ff8a0efa.vbs

Filesize
513B

MD5
345cb36a32d2e5b454e041fa2c4af1a0

SHA1
95e2ed1b571663b7e29621d8b750b3cf3664efb4

SHA256
b48eccb1d8cb7685153aef456d5fa6825d6743d8844f22896d11fccf39857b23

SHA512
261a4ee6b0ae792f7ad7bc01f43db1b53d525950ca4986370ed955480a828220cfcf4a9eea49e7b701d16b04b4a49901330cd3942b77e6883c18442ba4c5f524

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0b65d0a-fc90-48e5-ba6d-e3d07ad7a389.vbs

Filesize
737B

MD5
86fa69d17f1a005119c8600fd71e6cd0

SHA1
fbdecdf6b3b14d67f6726e1324d112e2596b204c

SHA256
b626a42c7e4e43df71c1d1133f9960958fc23588c908f1d37ef98193722dfc10

SHA512
f72ee56da8288250ac34f5434dbde1bab302ebadd0303781f0eaf9f50737b3352a32047488a24058aab0beef234e0c620c739591c5ddde358884e439aa3a3f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9210.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\ja-JP\services.exe

Filesize
4.9MB

MD5
4e58086f02958c613ef9084eff32e2cd

SHA1
9e5842bea76502462f46c093ac54e257f7c60ede

SHA256
84c6c128384c3e72acdb52b85dbdfbdc03c72bd27e52c119d669d4f54d45d96a

SHA512
c9a2414f486e873c4312b3f9f0ae40c2e20acafafe9c6a2188f768a315675cd697e0b1ff40ee48e0e7753687f59ad286ae39b337295a3871c2f8ca71555d44ad

Download Submit
memory/1396-205-0x000001DF4D150000-0x000001DF4D172000-memory.dmp

Filesize
136KB

Download
memory/2500-319-0x000000001C1F0000-0x000000001C202000-memory.dmp

Filesize
72KB

Download
memory/2604-11-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/2604-5-0x000000001C010000-0x000000001C060000-memory.dmp

Filesize
320KB

Download
memory/2604-10-0x000000001B9E0000-0x000000001B9EA000-memory.dmp

Filesize
40KB

Download
memory/2604-9-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

Filesize
64KB

Download
memory/2604-17-0x000000001C0A0000-0x000000001C0A8000-memory.dmp

Filesize
32KB

Download
memory/2604-18-0x000000001C0B0000-0x000000001C0BC000-memory.dmp

Filesize
48KB

Download
memory/2604-318-0x00007FFC27110000-0x00007FFC27BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-16-0x000000001C090000-0x000000001C098000-memory.dmp

Filesize
32KB

Download
memory/2604-14-0x000000001C070000-0x000000001C07E000-memory.dmp

Filesize
56KB

Download
memory/2604-15-0x000000001C080000-0x000000001C08E000-memory.dmp

Filesize
56KB

Download
memory/2604-13-0x000000001C060000-0x000000001C06A000-memory.dmp

Filesize
40KB

Download
memory/2604-12-0x000000001C590000-0x000000001CAB8000-memory.dmp

Filesize
5.2MB

Download
memory/2604-1-0x0000000000610000-0x0000000000B04000-memory.dmp

Filesize
5.0MB

Download
memory/2604-0-0x00007FFC27113000-0x00007FFC27115000-memory.dmp

Filesize
8KB

Download
memory/2604-155-0x00007FFC27110000-0x00007FFC27BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-8-0x000000001B9B0000-0x000000001B9C6000-memory.dmp

Filesize
88KB

Download
memory/2604-7-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

Filesize
64KB

Download
memory/2604-6-0x000000001B990000-0x000000001B998000-memory.dmp

Filesize
32KB

Download
memory/2604-2-0x00007FFC27110000-0x00007FFC27BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2604-141-0x00007FFC27113000-0x00007FFC27115000-memory.dmp

Filesize
8KB

Download
memory/2604-4-0x000000001B970000-0x000000001B98C000-memory.dmp

Filesize
112KB

Download
memory/2604-3-0x000000001B840000-0x000000001B96E000-memory.dmp

Filesize
1.2MB

Download
memory/3248-80-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3912-376-0x000000001B2E0000-0x000000001B2F2000-memory.dmp

Filesize
72KB

Download
memory/4712-494-0x000000001C0D0000-0x000000001C0E2000-memory.dmp

Filesize
72KB

Download
memory/4980-472-0x0000000003340000-0x0000000003352000-memory.dmp

Filesize
72KB

Download