Analysis
-
max time kernel
106s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 19:25
Static task
static1
Behavioral task
behavioral1
Sample
c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe
Resource
win7-20240903-en
General
-
Target
c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe
-
Size
4.9MB
-
MD5
8166ebc39d1512752acaffb4d39c5d5e
-
SHA1
b775680b1042ab888e69ca29f0a1291fdf215d1c
-
SHA256
c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74
-
SHA512
47fbb2182e52e3c743ccc59e2a2752a15b24dadcaa587662f4ba14e5207e85abe7a300697f975bae4f29b4c91bdbbff1b7657c3a4cedba83aa6d8a61b4cc3b5b
-
SSDEEP
49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8a:C
Malware Config
Extracted
colibri
1.2.0
Build1
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 48 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4408 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 216 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3932 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3584 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4548 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4816 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2736 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1088 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 776 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3376 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3828 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2196 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 408 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3076 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 736 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 2476 schtasks.exe 83 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 2476 schtasks.exe 83 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe -
resource yara_rule behavioral2/memory/1280-3-0x000000001B780000-0x000000001B8AE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3492 powershell.exe 776 powershell.exe 3752 powershell.exe 2732 powershell.exe 2468 powershell.exe 4984 powershell.exe 1108 powershell.exe 4612 powershell.exe 4904 powershell.exe 1720 powershell.exe 2716 powershell.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation System.exe -
Executes dropped EXE 64 IoCs
pid Process 552 tmpAFCB.tmp.exe 2752 tmpAFCB.tmp.exe 4168 System.exe 2640 tmpE0CB.tmp.exe 4608 tmpE0CB.tmp.exe 5112 System.exe 1108 tmp147D.tmp.exe 4480 tmp147D.tmp.exe 1516 System.exe 4612 tmp463B.tmp.exe 1504 tmp463B.tmp.exe 3660 System.exe 1220 tmp7A7A.tmp.exe 4724 tmp7A7A.tmp.exe 2432 System.exe 4636 tmpAC58.tmp.exe 1500 tmpAC58.tmp.exe 2320 System.exe 4616 tmpCA7F.tmp.exe 4504 tmpCA7F.tmp.exe 2016 System.exe 1552 tmpFAF5.tmp.exe 1352 tmpFAF5.tmp.exe 3444 tmpFAF5.tmp.exe 2888 tmpFAF5.tmp.exe 1308 tmpFAF5.tmp.exe 2628 tmpFAF5.tmp.exe 2036 tmpFAF5.tmp.exe 4972 tmpFAF5.tmp.exe 1200 tmpFAF5.tmp.exe 1692 tmpFAF5.tmp.exe 3552 tmpFAF5.tmp.exe 3144 tmpFAF5.tmp.exe 3468 tmpFAF5.tmp.exe 4636 tmpFAF5.tmp.exe 3348 tmpFAF5.tmp.exe 112 tmpFAF5.tmp.exe 4612 tmpFAF5.tmp.exe 2836 tmpFAF5.tmp.exe 3844 tmpFAF5.tmp.exe 4464 tmpFAF5.tmp.exe 2724 tmpFAF5.tmp.exe 1528 tmpFAF5.tmp.exe 3164 tmpFAF5.tmp.exe 4164 tmpFAF5.tmp.exe 2352 tmpFAF5.tmp.exe 1356 tmpFAF5.tmp.exe 2660 tmpFAF5.tmp.exe 3636 tmpFAF5.tmp.exe 3416 tmpFAF5.tmp.exe 512 tmpFAF5.tmp.exe 3076 tmpFAF5.tmp.exe 2132 tmpFAF5.tmp.exe 388 tmpFAF5.tmp.exe 2784 tmpFAF5.tmp.exe 5036 tmpFAF5.tmp.exe 4504 tmpFAF5.tmp.exe 1480 tmpFAF5.tmp.exe 3720 tmpFAF5.tmp.exe 4988 tmpFAF5.tmp.exe 4576 tmpFAF5.tmp.exe 4008 tmpFAF5.tmp.exe 1036 tmpFAF5.tmp.exe 3192 tmpFAF5.tmp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\dllhost.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 552 set thread context of 2752 552 tmpAFCB.tmp.exe 135 PID 2640 set thread context of 4608 2640 tmpE0CB.tmp.exe 178 PID 1108 set thread context of 4480 1108 tmp147D.tmp.exe 189 PID 4612 set thread context of 1504 4612 tmp463B.tmp.exe 200 PID 1220 set thread context of 4724 1220 tmp7A7A.tmp.exe 209 PID 4636 set thread context of 1500 4636 tmpAC58.tmp.exe 219 PID 4616 set thread context of 4504 4616 tmpCA7F.tmp.exe 229 PID 2224 set thread context of 2100 2224 tmp1A74.tmp.exe 840 PID 3376 set thread context of 1968 3376 tmp35BC.tmp.exe 1136 -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows NT\Accessories\RCXBE49.tmp c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXB9A3.tmp c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files\Google\Chrome\Application\RCXB104.tmp c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files\WindowsPowerShell\Configuration\Schema\TextInputHost.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files\WindowsPowerShell\Configuration\Schema\TextInputHost.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files\Google\Chrome\Application\unsecapp.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files\Windows NT\TableTextService\en-US\886983d96e3d3e c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files (x86)\Windows NT\Accessories\886983d96e3d3e c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\eddb19405b7ce1 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\RCXC281.tmp c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files\Google\Chrome\Application\29c1c3cc0f7685 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files\WindowsPowerShell\Configuration\Schema\RCXB53C.tmp c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\backgroundTaskHost.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files (x86)\Windows NT\Accessories\csrss.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\66fc9ff0ee96c2 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\csrss.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC06D.tmp c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\csrss.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files\Google\Chrome\Application\unsecapp.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files (x86)\Windows Multimedia Platform\services.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\RCXC717.tmp c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\services.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Program Files\WindowsPowerShell\Configuration\Schema\22eafd247d37c3 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\PLA\unsecapp.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Windows\DiagTrack\Scenarios\dllhost.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Windows\WaaS\services\unsecapp.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Windows\DiagTrack\Scenarios\dllhost.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Windows\DiagTrack\Scenarios\5940a34987c991 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Windows\PLA\unsecapp.exe c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File created C:\Windows\PLA\29c1c3cc0f7685 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Windows\DiagTrack\Scenarios\RCXCBAD.tmp c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe File opened for modification C:\Windows\PLA\RCXCDC1.tmp c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp35BC.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpFAF5.tmp.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings System.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4860 schtasks.exe 2736 schtasks.exe 3932 schtasks.exe 5016 schtasks.exe 2260 schtasks.exe 3584 schtasks.exe 2156 schtasks.exe 4584 schtasks.exe 736 schtasks.exe 4408 schtasks.exe 2684 schtasks.exe 1556 schtasks.exe 1088 schtasks.exe 2348 schtasks.exe 2524 schtasks.exe 408 schtasks.exe 216 schtasks.exe 4904 schtasks.exe 2032 schtasks.exe 2412 schtasks.exe 3896 schtasks.exe 2116 schtasks.exe 776 schtasks.exe 1820 schtasks.exe 4188 schtasks.exe 4932 schtasks.exe 4816 schtasks.exe 2460 schtasks.exe 3376 schtasks.exe 4536 schtasks.exe 3028 schtasks.exe 1008 schtasks.exe 3076 schtasks.exe 2328 schtasks.exe 3688 schtasks.exe 4568 schtasks.exe 536 schtasks.exe 4244 schtasks.exe 4548 schtasks.exe 2124 schtasks.exe 4612 schtasks.exe 1536 schtasks.exe 3828 schtasks.exe 2200 schtasks.exe 928 schtasks.exe 2196 schtasks.exe 2012 schtasks.exe 3348 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 3492 powershell.exe 3492 powershell.exe 4612 powershell.exe 4612 powershell.exe 3752 powershell.exe 3752 powershell.exe 2716 powershell.exe 2716 powershell.exe 2732 powershell.exe 2732 powershell.exe 1720 powershell.exe 1720 powershell.exe 4904 powershell.exe 4904 powershell.exe 4984 powershell.exe 4984 powershell.exe 1108 powershell.exe 1108 powershell.exe 776 powershell.exe 776 powershell.exe 2468 powershell.exe 2468 powershell.exe 776 powershell.exe 2468 powershell.exe 3492 powershell.exe 3492 powershell.exe 4612 powershell.exe 1108 powershell.exe 4904 powershell.exe 3752 powershell.exe 2732 powershell.exe 2716 powershell.exe 2716 powershell.exe 4984 powershell.exe 1720 powershell.exe 4168 System.exe 4168 System.exe 5112 System.exe 1516 System.exe 3660 System.exe 2432 System.exe 2320 System.exe 2016 System.exe 1608 System.exe 4504 System.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Token: SeDebugPrivilege 3492 powershell.exe Token: SeDebugPrivilege 4612 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 3752 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 4904 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 776 powershell.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 4168 System.exe Token: SeDebugPrivilege 5112 System.exe Token: SeDebugPrivilege 1516 System.exe Token: SeDebugPrivilege 3660 System.exe Token: SeDebugPrivilege 2432 System.exe Token: SeDebugPrivilege 2320 System.exe Token: SeDebugPrivilege 2016 System.exe Token: SeDebugPrivilege 1608 System.exe Token: SeDebugPrivilege 4504 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1280 wrote to memory of 552 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 132 PID 1280 wrote to memory of 552 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 132 PID 1280 wrote to memory of 552 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 132 PID 552 wrote to memory of 2752 552 tmpAFCB.tmp.exe 135 PID 552 wrote to memory of 2752 552 tmpAFCB.tmp.exe 135 PID 552 wrote to memory of 2752 552 tmpAFCB.tmp.exe 135 PID 552 wrote to memory of 2752 552 tmpAFCB.tmp.exe 135 PID 552 wrote to memory of 2752 552 tmpAFCB.tmp.exe 135 PID 552 wrote to memory of 2752 552 tmpAFCB.tmp.exe 135 PID 552 wrote to memory of 2752 552 tmpAFCB.tmp.exe 135 PID 1280 wrote to memory of 2732 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 146 PID 1280 wrote to memory of 2732 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 146 PID 1280 wrote to memory of 2468 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 147 PID 1280 wrote to memory of 2468 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 147 PID 1280 wrote to memory of 4984 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 148 PID 1280 wrote to memory of 4984 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 148 PID 1280 wrote to memory of 4904 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 149 PID 1280 wrote to memory of 4904 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 149 PID 1280 wrote to memory of 3752 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 150 PID 1280 wrote to memory of 3752 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 150 PID 1280 wrote to memory of 776 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 151 PID 1280 wrote to memory of 776 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 151 PID 1280 wrote to memory of 3492 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 152 PID 1280 wrote to memory of 3492 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 152 PID 1280 wrote to memory of 4612 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 153 PID 1280 wrote to memory of 4612 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 153 PID 1280 wrote to memory of 1108 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 154 PID 1280 wrote to memory of 1108 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 154 PID 1280 wrote to memory of 2716 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 155 PID 1280 wrote to memory of 2716 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 155 PID 1280 wrote to memory of 1720 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 156 PID 1280 wrote to memory of 1720 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 156 PID 1280 wrote to memory of 4168 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 170 PID 1280 wrote to memory of 4168 1280 c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe 170 PID 4168 wrote to memory of 2660 4168 System.exe 174 PID 4168 wrote to memory of 2660 4168 System.exe 174 PID 4168 wrote to memory of 1648 4168 System.exe 175 PID 4168 wrote to memory of 1648 4168 System.exe 175 PID 4168 wrote to memory of 2640 4168 System.exe 176 PID 4168 wrote to memory of 2640 4168 System.exe 176 PID 4168 wrote to memory of 2640 4168 System.exe 176 PID 2640 wrote to memory of 4608 2640 tmpE0CB.tmp.exe 178 PID 2640 wrote to memory of 4608 2640 tmpE0CB.tmp.exe 178 PID 2640 wrote to memory of 4608 2640 tmpE0CB.tmp.exe 178 PID 2640 wrote to memory of 4608 2640 tmpE0CB.tmp.exe 178 PID 2640 wrote to memory of 4608 2640 tmpE0CB.tmp.exe 178 PID 2640 wrote to memory of 4608 2640 tmpE0CB.tmp.exe 178 PID 2640 wrote to memory of 4608 2640 tmpE0CB.tmp.exe 178 PID 2660 wrote to memory of 5112 2660 WScript.exe 181 PID 2660 wrote to memory of 5112 2660 WScript.exe 181 PID 5112 wrote to memory of 3688 5112 System.exe 183 PID 5112 wrote to memory of 3688 5112 System.exe 183 PID 5112 wrote to memory of 1476 5112 System.exe 184 PID 5112 wrote to memory of 1476 5112 System.exe 184 PID 5112 wrote to memory of 1108 5112 System.exe 186 PID 5112 wrote to memory of 1108 5112 System.exe 186 PID 5112 wrote to memory of 1108 5112 System.exe 186 PID 1108 wrote to memory of 4480 1108 tmp147D.tmp.exe 189 PID 1108 wrote to memory of 4480 1108 tmp147D.tmp.exe 189 PID 1108 wrote to memory of 4480 1108 tmp147D.tmp.exe 189 PID 1108 wrote to memory of 4480 1108 tmp147D.tmp.exe 189 PID 1108 wrote to memory of 4480 1108 tmp147D.tmp.exe 189 PID 1108 wrote to memory of 4480 1108 tmp147D.tmp.exe 189 PID 1108 wrote to memory of 4480 1108 tmp147D.tmp.exe 189 -
System policy modification 1 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe"C:\Users\Admin\AppData\Local\Temp\c682278382f9f7a4d7cb00af3a87884c6a847b815718ca07f67f0667c13d6a74.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\tmpAFCB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAFCB.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\tmpAFCB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAFCB.tmp.exe"3⤵
- Executes dropped EXE
PID:2752
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Recovery\WindowsRE\System.exe"C:\Recovery\WindowsRE\System.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4168 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e8f95c1-28d6-47ed-bf5c-fe75e5451ff6.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5112 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b116bee3-5c2d-4af8-86f2-8b97b559ea83.vbs"5⤵PID:3688
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1516 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85cc171b-d328-4b4c-8743-e4abf09d6733.vbs"7⤵PID:5088
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe8⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3660 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1faa096-f567-4038-9aba-741e62f76304.vbs"9⤵PID:4948
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe10⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2432 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28d57e3e-4b97-47f2-9957-de17af3cec9d.vbs"11⤵PID:1396
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe12⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\512ef923-0fa0-4937-984f-603ad9f7fd3d.vbs"13⤵PID:2212
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe14⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2016 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3c0b381-85fb-4548-96d2-ae746b7e1518.vbs"15⤵PID:952
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe16⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1608 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b338188d-63be-4d4a-9bff-0f351f719b35.vbs"17⤵PID:4076
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe18⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47a6aa0e-93a3-4f88-828c-6330340bde53.vbs"19⤵PID:2112
-
C:\Recovery\WindowsRE\System.exeC:\Recovery\WindowsRE\System.exe20⤵PID:3828
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c175eb1d-0d31-4d60-b284-160656c020be.vbs"21⤵PID:2320
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a160ab96-2285-446f-bc89-752e4fcdac20.vbs"21⤵PID:3584
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5124.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5124.tmp.exe"21⤵PID:1840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV122⤵PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5124.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5124.tmp.exe"22⤵PID:964
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b5e5494-afaf-4dc8-bad7-ce321a611756.vbs"19⤵PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\tmp35BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp35BC.tmp.exe"19⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\tmp35BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp35BC.tmp.exe"20⤵
- Suspicious use of SetThreadContext
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\tmp35BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp35BC.tmp.exe"21⤵PID:1968
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0a82f29-2c57-4a35-a8a3-5eace16f7892.vbs"17⤵PID:5064
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1A74.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1A74.tmp.exe"17⤵
- Suspicious use of SetThreadContext
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\tmp1A74.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1A74.tmp.exe"18⤵PID:2100
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51114ca2-c732-4fd0-bf1d-d3b9d82aadee.vbs"15⤵PID:3588
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"15⤵
- Executes dropped EXE
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"17⤵
- Executes dropped EXE
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"18⤵
- Executes dropped EXE
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"19⤵
- Executes dropped EXE
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"20⤵
- Executes dropped EXE
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"21⤵
- Executes dropped EXE
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"22⤵
- Executes dropped EXE
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"23⤵
- Executes dropped EXE
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"24⤵
- Executes dropped EXE
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"25⤵
- Executes dropped EXE
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"26⤵
- Executes dropped EXE
PID:3144 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"27⤵
- Executes dropped EXE
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"28⤵
- Executes dropped EXE
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"29⤵
- Executes dropped EXE
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"30⤵
- Executes dropped EXE
PID:112 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"31⤵
- Executes dropped EXE
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"32⤵
- Executes dropped EXE
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"33⤵
- Executes dropped EXE
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"34⤵
- Executes dropped EXE
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"35⤵
- Executes dropped EXE
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"36⤵
- Executes dropped EXE
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"37⤵
- Executes dropped EXE
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"38⤵
- Executes dropped EXE
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"39⤵
- Executes dropped EXE
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"40⤵
- Executes dropped EXE
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"41⤵
- Executes dropped EXE
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"42⤵
- Executes dropped EXE
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"43⤵
- Executes dropped EXE
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"44⤵
- Executes dropped EXE
PID:512 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"45⤵
- Executes dropped EXE
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"46⤵
- Executes dropped EXE
PID:2132 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"47⤵
- Executes dropped EXE
PID:388 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"48⤵
- Executes dropped EXE
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"49⤵
- Executes dropped EXE
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"51⤵
- Executes dropped EXE
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"52⤵
- Executes dropped EXE
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"53⤵
- Executes dropped EXE
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"54⤵
- Executes dropped EXE
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"55⤵
- Executes dropped EXE
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"56⤵
- Executes dropped EXE
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"57⤵
- Executes dropped EXE
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"58⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"59⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"60⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"61⤵PID:1120
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"62⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"63⤵PID:3840
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"64⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"65⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"66⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"67⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"68⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"69⤵PID:5076
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"70⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"71⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"72⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"73⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"74⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"75⤵PID:4456
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"76⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"77⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"78⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"79⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"80⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"81⤵PID:2420
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"82⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"83⤵
- System Location Discovery: System Language Discovery
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"84⤵PID:2524
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"85⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"86⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"87⤵PID:2468
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"88⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"89⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"90⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"91⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"92⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"93⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"94⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"95⤵PID:1400
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"96⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"97⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"98⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"99⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"100⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"101⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"102⤵PID:2516
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"103⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"104⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"105⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"106⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"107⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"108⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"109⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"110⤵PID:4928
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"111⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"112⤵
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"113⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"114⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"115⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"116⤵PID:3752
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"117⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"118⤵
- System Location Discovery: System Language Discovery
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"119⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"120⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"121⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFAF5.tmp.exe"122⤵
- System Location Discovery: System Language Discovery
PID:5076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-