colibri | 8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811

Analysis

max time kernel
116s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Size

4.9MB
MD5

7c5669c1eb8e15de18ad5888920de3f7
SHA1

62f204afa1b1c8dda8f0474ce2e5e915ba5d49bb
SHA256

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811
SHA512

791b8c43b98b3d80b20071b9088bae6171f4e5ae34c1b56fdc7074d0785fc0bd3d9c4efbdabbcf42962725eff9ab543f47004c1f6641777b54dd1d28fe2584db
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8Z:R

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri

DcRat 63 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4892	schtasks.exe
		4444	schtasks.exe
		2560	schtasks.exe
		2288	schtasks.exe
		3564	schtasks.exe
		4524	schtasks.exe
		5052	schtasks.exe
		4944	schtasks.exe
		4028	schtasks.exe
		3720	schtasks.exe
File created	C:\Windows\GameBarPresenceWriter\5b884080fd4f94		8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
		1688	schtasks.exe
		464	schtasks.exe
		4016	schtasks.exe
		2708	schtasks.exe
		4292	schtasks.exe
		1456	schtasks.exe
		2496	schtasks.exe
		2584	schtasks.exe
		1904	schtasks.exe
		1028	schtasks.exe
		1364	schtasks.exe
		3436	schtasks.exe
		1948	schtasks.exe
		1884	schtasks.exe
		2888	schtasks.exe
		4600	schtasks.exe
		4652	schtasks.exe
		4124	schtasks.exe
		3020	schtasks.exe
		4304	schtasks.exe
		2760	schtasks.exe
		4624	schtasks.exe
File created	C:\Windows\L2Schemas\ea1d8f6d871115		8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
		5036	schtasks.exe
		2764	schtasks.exe
		2688	schtasks.exe
		1496	schtasks.exe
		4308	schtasks.exe
		1612	schtasks.exe
		2724	schtasks.exe
		1156	schtasks.exe
		2352	schtasks.exe
		2016	schtasks.exe
		4812	schtasks.exe
		4856	schtasks.exe
		1072	schtasks.exe
File created	C:\Program Files (x86)\MSBuild\ee2ad38f3d4382		8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
		4040	schtasks.exe
		3952	schtasks.exe
		4904	schtasks.exe
		3488	schtasks.exe
		2148	schtasks.exe
		3076	schtasks.exe
		3700	schtasks.exe
		3684	schtasks.exe
		2196	schtasks.exe
		1876	schtasks.exe
		3776	schtasks.exe
		2328	schtasks.exe
		1544	schtasks.exe
		1528	schtasks.exe
		4704	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4548	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	4548	schtasks.exe	83

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3116-3-0x000000001BC20000-0x000000001BD4E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3468	powershell.exe
4816	powershell.exe
4524	powershell.exe
1156	powershell.exe
3740	powershell.exe
4812	powershell.exe
1760	powershell.exe
1612	powershell.exe
4836	powershell.exe
3652	powershell.exe
5116	powershell.exe
3160	powershell.exe
4028	powershell.exe
1416	powershell.exe
1168	powershell.exe
4444	powershell.exe
1452	powershell.exe
4080	powershell.exe
2440	powershell.exe
3436	powershell.exe
5100	powershell.exe
3180	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 35 IoCs

pid	Process
3968	tmpB951.tmp.exe
3888	tmpB951.tmp.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
1272	tmpDC66.tmp.exe
1744	tmpDC66.tmp.exe
2776	winlogon.exe
2936	tmp9DE.tmp.exe
4560	tmp9DE.tmp.exe
3720	winlogon.exe
4080	tmp27B7.tmp.exe
4536	tmp27B7.tmp.exe
4044	winlogon.exe
3936	tmp5724.tmp.exe
4332	tmp5724.tmp.exe
264	winlogon.exe
4544	tmp7327.tmp.exe
4576	tmp7327.tmp.exe
628	winlogon.exe
3440	tmp8ECE.tmp.exe
3376	tmp8ECE.tmp.exe
2028	winlogon.exe
3980	tmpBDDC.tmp.exe
3956	tmpBDDC.tmp.exe
3152	winlogon.exe
1012	tmpECDC.tmp.exe
4012	tmpECDC.tmp.exe
1020	tmpECDC.tmp.exe
3020	winlogon.exe
2408	tmp872.tmp.exe
1932	tmp872.tmp.exe
1616	winlogon.exe
4332	winlogon.exe
1868	tmp523D.tmp.exe
4288	tmp523D.tmp.exe
5116	tmp523D.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 3968 set thread context of 3888	3968	tmpB951.tmp.exe	120
PID 1272 set thread context of 1744	1272	tmpDC66.tmp.exe	187
PID 2936 set thread context of 4560	2936	tmp9DE.tmp.exe	218
PID 4080 set thread context of 4536	4080	tmp27B7.tmp.exe	229
PID 3936 set thread context of 4332	3936	tmp5724.tmp.exe	239
PID 4544 set thread context of 4576	4544	tmp7327.tmp.exe	248
PID 3440 set thread context of 3376	3440	tmp8ECE.tmp.exe	257
PID 3980 set thread context of 3956	3980	tmpBDDC.tmp.exe	266
PID 4012 set thread context of 1020	4012	tmpECDC.tmp.exe	276
PID 2408 set thread context of 1932	2408	tmp872.tmp.exe	285
PID 4288 set thread context of 5116	4288	tmp523D.tmp.exe	301

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\Google\5b884080fd4f94	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\TrustedInstaller.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Google\Update\dllhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\56085415360792	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Reference Assemblies\04c1e7795967e4	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\TrustedInstaller.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\TrustedInstaller.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\MSBuild\Registry.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\MSBuild\ee2ad38f3d4382	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXB6D0.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\04c1e7795967e4	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Reference Assemblies\TrustedInstaller.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\ModifiableWindowsApps\dllhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Registry.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Google\fontdrvhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\Google\fontdrvhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\sysmon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\VideoLAN\VLC\121e5b5079f7c0	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cc11b995f2a76d	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Google\Update\dllhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Google\Update\5940a34987c991	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\VideoLAN\VLC\sysmon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\121e5b5079f7c0	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\GameBarPresenceWriter\fontdrvhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\RCXB4BB.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\GameBarPresenceWriter\fontdrvhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\Speech\Common\Idle.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\appcompat\encapsulation\121e5b5079f7c0	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\L2Schemas\RCXB2A7.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\L2Schemas\ea1d8f6d871115	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\appcompat\encapsulation\sysmon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\L2Schemas\upfc.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\GameBarPresenceWriter\5b884080fd4f94	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\de-DE\sysmon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\appcompat\encapsulation\sysmon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\de-DE\sysmon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\L2Schemas\upfc.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBDDC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpECDC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp872.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp523D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB951.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDC66.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9DE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp27B7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp523D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5724.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7327.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8ECE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpECDC.tmp.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4812	schtasks.exe
2584	schtasks.exe
3952	schtasks.exe
4016	schtasks.exe
2196	schtasks.exe
1456	schtasks.exe
4600	schtasks.exe
4028	schtasks.exe
3684	schtasks.exe
2760	schtasks.exe
4292	schtasks.exe
4856	schtasks.exe
1364	schtasks.exe
1156	schtasks.exe
1544	schtasks.exe
3020	schtasks.exe
1876	schtasks.exe
3076	schtasks.exe
3776	schtasks.exe
4892	schtasks.exe
4704	schtasks.exe
2496	schtasks.exe
4652	schtasks.exe
4904	schtasks.exe
2764	schtasks.exe
3488	schtasks.exe
2288	schtasks.exe
3720	schtasks.exe
4524	schtasks.exe
4124	schtasks.exe
2328	schtasks.exe
1948	schtasks.exe
1496	schtasks.exe
1028	schtasks.exe
2708	schtasks.exe
1612	schtasks.exe
2560	schtasks.exe
1072	schtasks.exe
2148	schtasks.exe
5036	schtasks.exe
4944	schtasks.exe
5052	schtasks.exe
2888	schtasks.exe
4304	schtasks.exe
2724	schtasks.exe
1528	schtasks.exe
2688	schtasks.exe
2352	schtasks.exe
1904	schtasks.exe
4308	schtasks.exe
2016	schtasks.exe
1688	schtasks.exe
4624	schtasks.exe
4040	schtasks.exe
3436	schtasks.exe
464	schtasks.exe
3700	schtasks.exe
1884	schtasks.exe
3564	schtasks.exe
4444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
4028	powershell.exe
4028	powershell.exe
3740	powershell.exe
3740	powershell.exe
1416	powershell.exe
1416	powershell.exe
3652	powershell.exe
3652	powershell.exe
2440	powershell.exe
2440	powershell.exe
1156	powershell.exe
1156	powershell.exe
4524	powershell.exe
4524	powershell.exe
5116	powershell.exe
5116	powershell.exe
4836	powershell.exe
4836	powershell.exe
3740	powershell.exe
1168	powershell.exe
1168	powershell.exe
4816	powershell.exe
4816	powershell.exe
4028	powershell.exe
4028	powershell.exe
1416	powershell.exe
4524	powershell.exe
3652	powershell.exe
1168	powershell.exe
2440	powershell.exe
5116	powershell.exe
1156	powershell.exe
4836	powershell.exe
4816	powershell.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
1452	powershell.exe
1452	powershell.exe
1760	powershell.exe
1760	powershell.exe
4444	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2776	winlogon.exe
Token: SeDebugPrivilege	3720	winlogon.exe
Token: SeDebugPrivilege	4044	winlogon.exe
Token: SeDebugPrivilege	264	winlogon.exe
Token: SeDebugPrivilege	628	winlogon.exe
Token: SeDebugPrivilege	2028	winlogon.exe
Token: SeDebugPrivilege	3152	winlogon.exe
Token: SeDebugPrivilege	3020	winlogon.exe
Token: SeDebugPrivilege	1616	winlogon.exe
Token: SeDebugPrivilege	4332	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 4816	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	94
PID 3116 wrote to memory of 4816	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	94
PID 3116 wrote to memory of 4524	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	95
PID 3116 wrote to memory of 4524	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	95
PID 3116 wrote to memory of 4028	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	96
PID 3116 wrote to memory of 4028	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	96
PID 3116 wrote to memory of 1156	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	97
PID 3116 wrote to memory of 1156	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	97
PID 3116 wrote to memory of 4836	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	98
PID 3116 wrote to memory of 4836	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	98
PID 3116 wrote to memory of 3652	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	99
PID 3116 wrote to memory of 3652	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	99
PID 3116 wrote to memory of 2440	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	100
PID 3116 wrote to memory of 2440	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	100
PID 3116 wrote to memory of 1416	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	101
PID 3116 wrote to memory of 1416	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	101
PID 3116 wrote to memory of 1168	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	102
PID 3116 wrote to memory of 1168	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	102
PID 3116 wrote to memory of 3740	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	103
PID 3116 wrote to memory of 3740	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	103
PID 3116 wrote to memory of 5116	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	104
PID 3116 wrote to memory of 5116	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	104
PID 3116 wrote to memory of 1488	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	115
PID 3116 wrote to memory of 1488	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	115
PID 3116 wrote to memory of 3968	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	116
PID 3116 wrote to memory of 3968	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	116
PID 3116 wrote to memory of 3968	3116	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	116
PID 3968 wrote to memory of 3888	3968	tmpB951.tmp.exe	120
PID 3968 wrote to memory of 3888	3968	tmpB951.tmp.exe	120
PID 3968 wrote to memory of 3888	3968	tmpB951.tmp.exe	120
PID 3968 wrote to memory of 3888	3968	tmpB951.tmp.exe	120
PID 3968 wrote to memory of 3888	3968	tmpB951.tmp.exe	120
PID 3968 wrote to memory of 3888	3968	tmpB951.tmp.exe	120
PID 3968 wrote to memory of 3888	3968	tmpB951.tmp.exe	120
PID 1488 wrote to memory of 2272	1488	cmd.exe	121
PID 1488 wrote to memory of 2272	1488	cmd.exe	121
PID 1488 wrote to memory of 3928	1488	cmd.exe	128
PID 1488 wrote to memory of 3928	1488	cmd.exe	128
PID 3928 wrote to memory of 1272	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	183
PID 3928 wrote to memory of 1272	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	183
PID 3928 wrote to memory of 1272	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	183
PID 1272 wrote to memory of 1744	1272	tmpDC66.tmp.exe	187
PID 1272 wrote to memory of 1744	1272	tmpDC66.tmp.exe	187
PID 1272 wrote to memory of 1744	1272	tmpDC66.tmp.exe	187
PID 1272 wrote to memory of 1744	1272	tmpDC66.tmp.exe	187
PID 1272 wrote to memory of 1744	1272	tmpDC66.tmp.exe	187
PID 1272 wrote to memory of 1744	1272	tmpDC66.tmp.exe	187
PID 1272 wrote to memory of 1744	1272	tmpDC66.tmp.exe	187
PID 3928 wrote to memory of 3160	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	190
PID 3928 wrote to memory of 3160	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	190
PID 3928 wrote to memory of 4444	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	191
PID 3928 wrote to memory of 4444	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	191
PID 3928 wrote to memory of 4812	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	193
PID 3928 wrote to memory of 4812	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	193
PID 3928 wrote to memory of 1452	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	194
PID 3928 wrote to memory of 1452	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	194
PID 3928 wrote to memory of 3180	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	195
PID 3928 wrote to memory of 3180	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	195
PID 3928 wrote to memory of 5100	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	197
PID 3928 wrote to memory of 5100	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	197
PID 3928 wrote to memory of 3436	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	198
PID 3928 wrote to memory of 3436	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	198
PID 3928 wrote to memory of 3468	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	199
PID 3928 wrote to memory of 3468	3928	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	199

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
"C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gOBUt9HLXL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
    "C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\tmpDC66.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpDC66.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\tmpDC66.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDC66.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:1744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1760
  - - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
      "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2776
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5d16cbe-65dc-478b-bf4d-4dd86a67e292.vbs"
        5⤵
        
        PID:2688
      - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43dfe78f-21c8-49b6-a1f2-a0cfa1920d25.vbs"
        7⤵
        
        PID:816
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00408dea-0f34-47a9-a4b6-35abf038d620.vbs"
        9⤵
        
        PID:412
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5c8f499-210c-4098-9be6-6fba092a4920.vbs"
        11⤵
        
        PID:5084
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e168d3da-e3e0-4e43-9be6-567bcb09bef0.vbs"
        13⤵
        
        PID:916
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf17cbea-0f60-47da-a3c4-11b7758ce77f.vbs"
        15⤵
        
        PID:1496
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5554755-0eff-4fc7-bd0d-aa3c153456dd.vbs"
        17⤵
        
        PID:2016
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7de9eab-401b-49b9-b692-91a13b5e8240.vbs"
        19⤵
        
        PID:632
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e521b1f0-bfd6-47ca-a601-8fbd516dcfab.vbs"
        21⤵
        
        PID:1524
        
        C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe
        
        "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18589c00-772d-4c77-9fad-1c880a22b543.vbs"
        23⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ba040c8-a76b-4a3c-8d90-2ee6a1e8e6c5.vbs"
        23⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp523D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp523D.tmp.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp523D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp523D.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp523D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp523D.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e94c153-3f35-4687-8e1d-bfc9c13032da.vbs"
        21⤵
        
        PID:112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9de4f79-4799-4922-9be8-38cee93bef01.vbs"
        19⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp872.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp872.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp872.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp872.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20ab3598-d1c7-414a-b515-4e636b853d37.vbs"
        17⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8370ee3-5398-4d69-8015-300ce91c99c9.vbs"
        15⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmpBDDC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBDDC.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmpBDDC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBDDC.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b83b3fc-37ea-437d-9083-a7f28edd6f6d.vbs"
        13⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8ECE.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\317b5e1b-0eb2-44e5-8fd0-496ccecb55d6.vbs"
        11⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7327.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7327.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7327.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7327.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c38d4dcd-8551-4224-88db-4e09a6df7043.vbs"
        9⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp5724.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5724.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\tmp5724.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5724.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea6114fa-4a3a-4a08-9120-c843c061b4e8.vbs"
        7⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp27B7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp27B7.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp27B7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp27B7.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:4536
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f32c057f-8ed5-46ad-a74b-5b33b267ad8c.vbs"
        5⤵
        
        PID:2148
    - - C:\Users\Admin\AppData\Local\Temp\tmp9DE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9DE.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2936
      - C:\Users\Admin\AppData\Local\Temp\tmp9DE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9DE.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:4560
- C:\Users\Admin\AppData\Local\Temp\tmpB951.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB951.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Users\Admin\AppData\Local\Temp\tmpB951.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpB951.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\L2Schemas\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Google\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\TrustedInstaller.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Searches\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\TrustedInstaller.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\de-DE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\encapsulation\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\encapsulation\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
816d03b14553d8d2cd19771bf135873f

SHA1
3efdd566ca724299705e7c30d4cbb84349b7a1ae

SHA256
70d3acdba0037de3d175aca44a86daf8392b2350f6f8b026b7accb02f95a9304

SHA512
365ac792e05619e5ef42b40f1e4dd5d1ebb18a5a409be9c5428e52be7896f4b18eef2a93a4e0f5e1930996bf70798fe45fc5b6d829687d975191015944dbbdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
01841b4277227c0578c89131444e7d57

SHA1
b00fbb6cabb5d09d50c28c0fdc62e5e6917b0c5d

SHA256
34797c2cafe0d94ea265e6aba8e38c3c34532e125bdd6dc8c1eab16a977a8cfa

SHA512
15c656ce162ff535506f9f22d285355576e53b89baebc1064523ab59f2eccb111cdd71c1fd66e59995d0727993bd268c976a9bd6cd78ff78d19a3c13436f0497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b740f7616c3c3d006afd7e1586758eeb

SHA1
c465af4c07ecb9e3de239c410d3b2ed5de93cdde

SHA256
c11b84252afa74e4f323fcbae853cb45217a65d70ac44dea182f9ec872bd9872

SHA512
d4dd7531d48a9f6d6432fe0d55cefc76139566c54514ba722d76e5bd4371bfca0e491939795883de21901eac98b1af7236ea83281a7dde8befe16719993f185e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bc113211a3e72478c93989952aee3251

SHA1
5eeb2f2e4642ef5f147dd118742ea3c3dcf0cd16

SHA256
c6059355503eca5b35ac8446442eb5031ab610b7353cd2e8a3cf07dc99469fae

SHA512
c0748cc3a4b701f5cefeeaf9ac1bdbae28cfcf1dad8e89a2db2c756b908011ee8e945b6d02bef816763fc5acc38a72657316f5cd56c62342c8e779a50f4f4460

Download Submit
C:\Users\Admin\AppData\Local\Temp\00408dea-0f34-47a9-a4b6-35abf038d620.vbs

Filesize
742B

MD5
d60e4837599be5717ce1c65279a528af

SHA1
9d2abd301603ebf9defed7ce42ba891ef9fd6cae

SHA256
64ca5663f9a20b536f8922607552e0726110cf0bab205c60ced8bfc913a5cf71

SHA512
525d3d47afc93d560de91a1e14a5faa36e30f8e4c6cc18d8bb9ae6d5607c4964940368aee927665590cc337476c3f57dfc1602cb459046905428b0b7d99b9064

Download Submit
C:\Users\Admin\AppData\Local\Temp\43dfe78f-21c8-49b6-a1f2-a0cfa1920d25.vbs

Filesize
742B

MD5
eebc7bb030b1f09a8c0394171a5e6b3e

SHA1
0f2246fdb23b38fb4cff7ca501ee428b647b5e93

SHA256
b02e71e94e62ed8fd82040046fc776bf71a296613e87108f3edebfadd2c6533b

SHA512
df1b4c5d2b076019aa51581e879d1c06d3588ce9a02cc1afdcd8edd8e1109d77536a1271315e7dbdffdc121090e4e8d058e37742028d598865a905b92b8b2ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_di34i3j0.ti3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5c8f499-210c-4098-9be6-6fba092a4920.vbs

Filesize
741B

MD5
ba341059174bed12ae267b2d765a6619

SHA1
fe1aab1ea96edb2e8fad8d2c9d43db14b7f2e83a

SHA256
35d55a6dabf3ca1470d81a1e224f40c760fdc48b3d6dbef6fe0a1ffe41952511

SHA512
604de6c3a81a9678bae91b3d32e7d04e8cbcb5c66a52f6e27d146167bef06e287ad5e866dd43067a53d192d7bbac5bc7a945cb3abc13b724e2467717e9f73164

Download Submit
C:\Users\Admin\AppData\Local\Temp\e168d3da-e3e0-4e43-9be6-567bcb09bef0.vbs

Filesize
741B

MD5
2d032bce60faf6ec51b1e2516710d050

SHA1
34668afedb85457ce73c6ab8c765e2cebc3575f9

SHA256
49a0b7fd276908632137d2de35bf16b23354e8970b0db5b1a62a9d235249da69

SHA512
8c8916dd08f1f06c7a558967725d3c38cf0d4ed1d50ec52c5cf868756ba2516b53f453ecd1b76f04fa87a3e9c876c31f35ee8fe9ae3a58f0cb4d3455c30e7156

Download Submit
C:\Users\Admin\AppData\Local\Temp\f32c057f-8ed5-46ad-a74b-5b33b267ad8c.vbs

Filesize
518B

MD5
df9165cfd293496c5377a0f555b14953

SHA1
379a8c8a8db1a8ea643d51482a79f431e0bd7825

SHA256
263504c42f23f109c49d69fbdc15c75cc04ab06b3e47b67833335156be8510e1

SHA512
32e242f20381a88578dfdb14b76b6808513ed089f91081aed3673cf780e059f4276c25851b23245f85f34a44a9b38ed32ee28f9b9c33c63c5c626564ebd3b7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5d16cbe-65dc-478b-bf4d-4dd86a67e292.vbs

Filesize
742B

MD5
71e4b3a7084d109efa7c0a1056acafdd

SHA1
4c565418eac8f2250dcde68b584fb2f153a45cd4

SHA256
6fd2468cff03991840030fcae4f2c65f6548505d9f43d8be76f9e3978aa33430

SHA512
120a07b41a088d927852980851eec375d562edbbb606d5543b53421e863b51026356e87406104628f76548248fb26201ccf0f1d1748b9efb99187d13ec3e5b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gOBUt9HLXL.bat

Filesize
267B

MD5
e2c3956c9670e9fda629711bb71e12fe

SHA1
f6e8ad6aa26278e275893e57b63a6a44f651006c

SHA256
2c216a711c40108f1ef03ec4918cc6cf9cb962e5760dd207c6eee3c020467844

SHA512
cd11fe71d967ee1961c7b6cb20e6319644cfa8345ac09e22c86e3cfb1b92de96f6e8f1f2393f5e92f11abcc4b9bffe1385cd4f1140242cfd551547ce2db9e6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB951.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\L2Schemas\upfc.exe

Filesize
4.9MB

MD5
7c5669c1eb8e15de18ad5888920de3f7

SHA1
62f204afa1b1c8dda8f0474ce2e5e915ba5d49bb

SHA256
8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811

SHA512
791b8c43b98b3d80b20071b9088bae6171f4e5ae34c1b56fdc7074d0785fc0bd3d9c4efbdabbcf42962725eff9ab543f47004c1f6641777b54dd1d28fe2584db

Download Submit
memory/3116-11-0x000000001BB70000-0x000000001BB82000-memory.dmp

Filesize
72KB

Download
memory/3116-5-0x000000001BBC0000-0x000000001BC10000-memory.dmp

Filesize
320KB

Download
memory/3116-71-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/3116-12-0x000000001C880000-0x000000001CDA8000-memory.dmp

Filesize
5.2MB

Download
memory/3116-15-0x000000001BBA0000-0x000000001BBAE000-memory.dmp

Filesize
56KB

Download
memory/3116-13-0x000000001BB80000-0x000000001BB8A000-memory.dmp

Filesize
40KB

Download
memory/3116-14-0x000000001BB90000-0x000000001BB9E000-memory.dmp

Filesize
56KB

Download
memory/3116-17-0x000000001C350000-0x000000001C358000-memory.dmp

Filesize
32KB

Download
memory/3116-10-0x000000001BB10000-0x000000001BB1A000-memory.dmp

Filesize
40KB

Download
memory/3116-9-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/3116-8-0x000000001BAF0000-0x000000001BB06000-memory.dmp

Filesize
88KB

Download
memory/3116-18-0x000000001C460000-0x000000001C46C000-memory.dmp

Filesize
48KB

Download
memory/3116-6-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

Filesize
32KB

Download
memory/3116-7-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/3116-4-0x0000000001710000-0x000000000172C000-memory.dmp

Filesize
112KB

Download
memory/3116-0-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

Filesize
8KB

Download
memory/3116-16-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

Filesize
32KB

Download
memory/3116-3-0x000000001BC20000-0x000000001BD4E000-memory.dmp

Filesize
1.2MB

Download
memory/3116-2-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

Filesize
10.8MB

Download
memory/3116-1-0x00000000008C0000-0x0000000000DB4000-memory.dmp

Filesize
5.0MB

Download
memory/3888-156-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4028-70-0x000002491F260000-0x000002491F282000-memory.dmp

Filesize
136KB

Download
memory/4044-497-0x0000000003620000-0x0000000003632000-memory.dmp

Filesize
72KB

Download