colibri | 42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Size

4.9MB
MD5

c4f491ec0a2f5bafc5d099a48035fe40
SHA1

b43d26d51afced257db87d8b712182f677fc1c34
SHA256

42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986
SHA512

09c65c27e810a797ab6e5630b099b912965a513a74ec285093b41c5796a9a7c574c9cf0896501c1e1787f52c771d07ae185a47a67160029df206366a227319dc
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	4872	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	4872	schtasks.exe	83

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/552-3-0x000000001BB00000-0x000000001BC2E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4832	powershell.exe
860	powershell.exe
4848	powershell.exe
2872	powershell.exe
3624	powershell.exe
4844	powershell.exe
3212	powershell.exe
1616	powershell.exe
3208	powershell.exe
1624	powershell.exe
4764	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 32 IoCs

pid	Process
4472	tmp7B5C.tmp.exe
396	tmp7B5C.tmp.exe
4472	lsass.exe
1540	tmpB16E.tmp.exe
2856	tmpB16E.tmp.exe
3140	tmpB16E.tmp.exe
3208	lsass.exe
4980	lsass.exe
3944	tmp143.tmp.exe
3632	tmp143.tmp.exe
1916	lsass.exe
1644	tmp3321.tmp.exe
4500	tmp3321.tmp.exe
3396	lsass.exe
540	tmp6481.tmp.exe
4816	tmp6481.tmp.exe
2340	tmp6481.tmp.exe
456	lsass.exe
2520	tmp81FC.tmp.exe
3156	tmp81FC.tmp.exe
3212	lsass.exe
2088	tmp9E5E.tmp.exe
4080	tmp9E5E.tmp.exe
2884	lsass.exe
2260	tmpCF61.tmp.exe
2624	tmpCF61.tmp.exe
4324	lsass.exe
4352	tmpC1.tmp.exe
5108	tmpC1.tmp.exe
3876	lsass.exe
1916	tmp31A5.tmp.exe
2776	tmp31A5.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 4472 set thread context of 396	4472	tmp7B5C.tmp.exe	137
PID 2856 set thread context of 3140	2856	tmpB16E.tmp.exe	180
PID 3944 set thread context of 3632	3944	tmp143.tmp.exe	197
PID 1644 set thread context of 4500	1644	tmp3321.tmp.exe	207
PID 4816 set thread context of 2340	4816	tmp6481.tmp.exe	218
PID 2520 set thread context of 3156	2520	tmp81FC.tmp.exe	228
PID 2088 set thread context of 4080	2088	tmp9E5E.tmp.exe	238
PID 2260 set thread context of 2624	2260	tmpCF61.tmp.exe	247
PID 4352 set thread context of 5108	4352	tmpC1.tmp.exe	256
PID 1916 set thread context of 2776	1916	tmp31A5.tmp.exe	265

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\f3b6ecef712a24	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files\ModifiableWindowsApps\StartMenuExperienceHost.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files\7-Zip\Lang\wininit.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\RCX8535.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\sihost.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX9962.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files\7-Zip\Lang\spoolsv.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files\Java\jre-1.8\bin\66fc9ff0ee96c2	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX7C95.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\spoolsv.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX9075.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\wininit.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files\ModifiableWindowsApps\System.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sihost.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\ea9f0e6c9e2dcd	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files\7-Zip\Lang\56085415360792	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\RCX87B6.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\7a0fd90576e088	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\6cb0b6c459d5d3	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\9e8d7a4ca61bd9	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\DigitalLocker\RCX7A71.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCX9DF8.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\addins\56085415360792	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\security\ea9f0e6c9e2dcd	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\en-US\29c1c3cc0f7685	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\TAPI\dwm.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\addins\wininit.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\security\RCX8E60.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\en-US\unsecapp.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\TAPI\RCX9BE3.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\TAPI\dwm.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\en-US\unsecapp.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\addins\RCX80DD.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\security\taskhostw.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\en-US\RCX9289.tmp	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\security\taskhostw.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\ServiceState\EventLog\Data\fontdrvhost.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\DigitalLocker\RuntimeBroker.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File opened for modification	C:\Windows\DigitalLocker\RuntimeBroker.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\DigitalLocker\9e8d7a4ca61bd9	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
File created	C:\Windows\addins\wininit.exe	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6481.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6481.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCF61.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB16E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB16E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3321.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp81FC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E5E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp31A5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7B5C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp143.tmp.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1720	schtasks.exe
384	schtasks.exe
752	schtasks.exe
4460	schtasks.exe
964	schtasks.exe
3916	schtasks.exe
2144	schtasks.exe
5036	schtasks.exe
2404	schtasks.exe
1912	schtasks.exe
1876	schtasks.exe
2108	schtasks.exe
3688	schtasks.exe
2196	schtasks.exe
2352	schtasks.exe
2512	schtasks.exe
3080	schtasks.exe
1520	schtasks.exe
4320	schtasks.exe
3876	schtasks.exe
2636	schtasks.exe
4764	schtasks.exe
1480	schtasks.exe
2708	schtasks.exe
624	schtasks.exe
1564	schtasks.exe
3944	schtasks.exe
3624	schtasks.exe
4928	schtasks.exe
2188	schtasks.exe
2264	schtasks.exe
3112	schtasks.exe
3932	schtasks.exe
5032	schtasks.exe
3712	schtasks.exe
3412	schtasks.exe
948	schtasks.exe
2056	schtasks.exe
968	schtasks.exe
5100	schtasks.exe
2044	schtasks.exe
4508	schtasks.exe
2868	schtasks.exe
5012	schtasks.exe
3208	schtasks.exe
4844	schtasks.exe
440	schtasks.exe
4448	schtasks.exe
2004	schtasks.exe
1616	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
1624	powershell.exe
1624	powershell.exe
4764	powershell.exe
4764	powershell.exe
4832	powershell.exe
4832	powershell.exe
4848	powershell.exe
4848	powershell.exe
4844	powershell.exe
4844	powershell.exe
3212	powershell.exe
3212	powershell.exe
860	powershell.exe
860	powershell.exe
3624	powershell.exe
3624	powershell.exe
1616	powershell.exe
1616	powershell.exe
2872	powershell.exe
2872	powershell.exe
3208	powershell.exe
3208	powershell.exe
4832	powershell.exe
3208	powershell.exe
4764	powershell.exe
4848	powershell.exe
3212	powershell.exe
1624	powershell.exe
4844	powershell.exe
3624	powershell.exe
1616	powershell.exe
2872	powershell.exe
860	powershell.exe
4472	lsass.exe
4472	lsass.exe
3208	lsass.exe
4980	lsass.exe
1916	lsass.exe
3396	lsass.exe
456	lsass.exe
3212	lsass.exe
2884	lsass.exe
4324	lsass.exe
3876	lsass.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	4472	lsass.exe
Token: SeDebugPrivilege	3208	lsass.exe
Token: SeDebugPrivilege	4980	lsass.exe
Token: SeDebugPrivilege	1916	lsass.exe
Token: SeDebugPrivilege	3396	lsass.exe
Token: SeDebugPrivilege	456	lsass.exe
Token: SeDebugPrivilege	3212	lsass.exe
Token: SeDebugPrivilege	2884	lsass.exe
Token: SeDebugPrivilege	4324	lsass.exe
Token: SeDebugPrivilege	3876	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4472	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	135
PID 552 wrote to memory of 4472	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	135
PID 552 wrote to memory of 4472	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	135
PID 4472 wrote to memory of 396	4472	tmp7B5C.tmp.exe	137
PID 4472 wrote to memory of 396	4472	tmp7B5C.tmp.exe	137
PID 4472 wrote to memory of 396	4472	tmp7B5C.tmp.exe	137
PID 4472 wrote to memory of 396	4472	tmp7B5C.tmp.exe	137
PID 4472 wrote to memory of 396	4472	tmp7B5C.tmp.exe	137
PID 4472 wrote to memory of 396	4472	tmp7B5C.tmp.exe	137
PID 4472 wrote to memory of 396	4472	tmp7B5C.tmp.exe	137
PID 552 wrote to memory of 3208	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	150
PID 552 wrote to memory of 3208	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	150
PID 552 wrote to memory of 1624	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	151
PID 552 wrote to memory of 1624	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	151
PID 552 wrote to memory of 4848	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	152
PID 552 wrote to memory of 4848	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	152
PID 552 wrote to memory of 4764	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	153
PID 552 wrote to memory of 4764	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	153
PID 552 wrote to memory of 2872	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	154
PID 552 wrote to memory of 2872	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	154
PID 552 wrote to memory of 3624	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	155
PID 552 wrote to memory of 3624	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	155
PID 552 wrote to memory of 4832	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	156
PID 552 wrote to memory of 4832	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	156
PID 552 wrote to memory of 860	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	157
PID 552 wrote to memory of 860	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	157
PID 552 wrote to memory of 4844	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	158
PID 552 wrote to memory of 4844	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	158
PID 552 wrote to memory of 3212	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	159
PID 552 wrote to memory of 3212	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	159
PID 552 wrote to memory of 1616	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	160
PID 552 wrote to memory of 1616	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	160
PID 552 wrote to memory of 4472	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	172
PID 552 wrote to memory of 4472	552	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe	172
PID 4472 wrote to memory of 2596	4472	lsass.exe	174
PID 4472 wrote to memory of 2596	4472	lsass.exe	174
PID 4472 wrote to memory of 1116	4472	lsass.exe	175
PID 4472 wrote to memory of 1116	4472	lsass.exe	175
PID 4472 wrote to memory of 1540	4472	lsass.exe	177
PID 4472 wrote to memory of 1540	4472	lsass.exe	177
PID 4472 wrote to memory of 1540	4472	lsass.exe	177
PID 1540 wrote to memory of 2856	1540	tmpB16E.tmp.exe	179
PID 1540 wrote to memory of 2856	1540	tmpB16E.tmp.exe	179
PID 1540 wrote to memory of 2856	1540	tmpB16E.tmp.exe	179
PID 2856 wrote to memory of 3140	2856	tmpB16E.tmp.exe	180
PID 2856 wrote to memory of 3140	2856	tmpB16E.tmp.exe	180
PID 2856 wrote to memory of 3140	2856	tmpB16E.tmp.exe	180
PID 2856 wrote to memory of 3140	2856	tmpB16E.tmp.exe	180
PID 2856 wrote to memory of 3140	2856	tmpB16E.tmp.exe	180
PID 2856 wrote to memory of 3140	2856	tmpB16E.tmp.exe	180
PID 2856 wrote to memory of 3140	2856	tmpB16E.tmp.exe	180
PID 2596 wrote to memory of 3208	2596	WScript.exe	183
PID 2596 wrote to memory of 3208	2596	WScript.exe	183
PID 3208 wrote to memory of 4012	3208	lsass.exe	185
PID 3208 wrote to memory of 4012	3208	lsass.exe	185
PID 3208 wrote to memory of 4772	3208	lsass.exe	186
PID 3208 wrote to memory of 4772	3208	lsass.exe	186
PID 4012 wrote to memory of 4980	4012	WScript.exe	191
PID 4012 wrote to memory of 4980	4012	WScript.exe	191
PID 4980 wrote to memory of 2352	4980	lsass.exe	193
PID 4980 wrote to memory of 2352	4980	lsass.exe	193
PID 4980 wrote to memory of 3832	4980	lsass.exe	194
PID 4980 wrote to memory of 3832	4980	lsass.exe	194
PID 4980 wrote to memory of 3944	4980	lsass.exe	195

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe
"C:\Users\Admin\AppData\Local\Temp\42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:552
- C:\Users\Admin\AppData\Local\Temp\tmp7B5C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7B5C.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Users\Admin\AppData\Local\Temp\tmp7B5C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp7B5C.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Recovery\WindowsRE\lsass.exe
  "C:\Recovery\WindowsRE\lsass.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4472
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d8d7db4-eabd-449c-b485-cb16e6eb3d4b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Recovery\WindowsRE\lsass.exe
      C:\Recovery\WindowsRE\lsass.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3208
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b6fa90e-a8df-4753-8f75-e4cbc7672ab1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84857be7-ca55-4bce-82be-cb9e6e5732af.vbs"
        7⤵
        
        PID:2352
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1b7ee56-8781-4bc4-8651-5c5f55a624cc.vbs"
        9⤵
        
        PID:3136
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2160a0d-a774-4048-9fe7-37a2c2c59a6b.vbs"
        11⤵
        
        PID:4624
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf230263-1273-432a-a9a0-3bc8d96ae5db.vbs"
        13⤵
        
        PID:4464
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\209c2012-573c-485d-a276-ed5616dc69fd.vbs"
        15⤵
        
        PID:2836
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02ff6e7b-88a6-4916-92e7-dd8e58addbc2.vbs"
        17⤵
        
        PID:2340
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f4afaf4-80c7-40d9-bdeb-6d925fca42f1.vbs"
        19⤵
        
        PID:2924
        
        C:\Recovery\WindowsRE\lsass.exe
        
        C:\Recovery\WindowsRE\lsass.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39e5eaa0-86a6-4037-93d1-5d69a0241ae0.vbs"
        21⤵
        
        PID:4160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0203b128-abd1-40f2-afb6-fcea202ec820.vbs"
        21⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\tmp31A5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp31A5.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp31A5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp31A5.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90d463d9-0f7e-4049-b0cd-410afbac73ee.vbs"
        19⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmpC1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC1.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmpC1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC1.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33baf817-de08-4880-b91e-5605e6d50b93.vbs"
        17⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmpCF61.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCF61.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmpCF61.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCF61.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\206eee37-8070-4727-b2ed-c4683e2a08d2.vbs"
        15⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp9E5E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9E5E.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9E5E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9E5E.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b404444a-3770-4799-895f-b064d2dfb7f1.vbs"
        13⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmp81FC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp81FC.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp81FC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp81FC.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:3156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11808020-905c-4d24-9683-8907fb2b9d16.vbs"
        11⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp6481.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6481.tmp.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp6481.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6481.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp6481.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6481.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f5f2cc9-2995-48ca-a7b3-0e91cb17c9b4.vbs"
        9⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp3321.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3321.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp3321.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3321.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e19f0690-f45d-44bd-83d0-1db8955b330c.vbs"
        7⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\tmp143.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp143.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\tmp143.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp143.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:3632
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4c33146-4c7e-4518-a622-e4db892d4d7d.vbs"
        5⤵
        
        PID:4772
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05f2fc06-5fd7-4f2d-9e6e-b61d85f75582.vbs"
    3⤵
    PID:1116
- - C:\Users\Admin\AppData\Local\Temp\tmpB16E.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpB16E.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\tmpB16E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB16E.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Users\Admin\AppData\Local\Temp\tmpB16E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB16E.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\bin\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\bin\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\security\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\security\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\security\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\csrss.exe

Filesize
4.9MB

MD5
c4f491ec0a2f5bafc5d099a48035fe40

SHA1
b43d26d51afced257db87d8b712182f677fc1c34

SHA256
42f46905a7047aed5991b84bbf1696034447c5758ec1ffcc26f743d71799f986

SHA512
09c65c27e810a797ab6e5630b099b912965a513a74ec285093b41c5796a9a7c574c9cf0896501c1e1787f52c771d07ae185a47a67160029df206366a227319dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
243347db405974f6277b941306d57ddb

SHA1
48a7563230d78ecfe8aaa7b749bf985c6078b4e4

SHA256
876100d0ce1aff677a0cab677787ca9858a989f4e5c13b05c8931f709232b835

SHA512
1c45eae761fb4224943debe2f2d553793146bb6d4bf2535de2bded3f9c78665607bc1fce7d4ecf905569488e42e42d0bf4b6d20dfcf8cda77a354b8faf17a951

Download Submit
C:\Users\Admin\AppData\Local\Temp\05f2fc06-5fd7-4f2d-9e6e-b61d85f75582.vbs

Filesize
483B

MD5
b3aeaca6bea14b0fa2b07ebf20074375

SHA1
f6917290df30b30dce5dc6ec0e30ba387b85ece2

SHA256
934859a70e3340d106898b70e531d209e58f2eaea6cb40bda46cf271c4671db8

SHA512
c1a38d723bd11770684dbc02a8352c73f116f3484783c8fcdde991caacf86c2e42d6f2065ff554e1f2881959e83be98dd668af0135e45e23f8b5933e3b7df6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\209c2012-573c-485d-a276-ed5616dc69fd.vbs

Filesize
707B

MD5
7e51fca65f87fbd96a0b71a35e40f20a

SHA1
591b79f6e4991db5cc27a88093380fc963366a23

SHA256
41691821b6c968a8714416cc9ae82b19f87615c8047dffeb496663a3cb81bda4

SHA512
d3fd3614800e72333f9dc15266f6c572ab7d78aed7a244f473e910fef0bc4cffb04e3f716f0b420f386349880f94658a953dbe984d8ecbf86701ccac61362913

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d8d7db4-eabd-449c-b485-cb16e6eb3d4b.vbs

Filesize
707B

MD5
d16cf7152b7c2f4759ff95a03d09f748

SHA1
64258b63fc206cdce57230a4871fffbb5a61e28f

SHA256
fa4217d61e6cf984b4ba4a46cb4ee063eb3d80c44a40a629ed996e01e2c0e6ad

SHA512
c25b7c8848b969fa09b4a589df4a2bb4a97abe39e665101235ea1bd674949193190a0c5e5ecb22dfa478afaa167f6ddbf8895a600d2a3758027cdd15d7cf0853

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b6fa90e-a8df-4753-8f75-e4cbc7672ab1.vbs

Filesize
707B

MD5
45817230471fdce46ca04bc784588733

SHA1
e4d9200997336265c3be2cd4f5e86191ca55fb8c

SHA256
0143ec088a27b7cbb2004c1de74fcf71ae422651f28e7f583b2d418dd4fe95ff

SHA512
9bd0131ab800f7aa330ff1d47eaa20ef01cb17fb1a2b7b428037c7fa8ecd97259e996d7ed9026be32408ffa21bd96c3870891bb6fd144b8de6f9446f997f4a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\84857be7-ca55-4bce-82be-cb9e6e5732af.vbs

Filesize
707B

MD5
4c8d755643430f5f2111bb610d0ee5df

SHA1
58e13f8e4878f1185182cf59bfa4a12547e6e058

SHA256
0755b0f1415dea49c871ca744a9991c37a69e9178efc21e3f2b028cc2f1c3042

SHA512
cedb035779fd7963c946c7f32dbe7ee419ee9a78083d3f605e5d48a4d3ee122815053e042f94dd85071cf74e3154f361738b20a4f25e7bc0a109fe3de882ec0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tdpox2c2.he1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1b7ee56-8781-4bc4-8651-5c5f55a624cc.vbs

Filesize
707B

MD5
4b7d00b7e6a38b6fa76a24dbd5f960cb

SHA1
d8ab5f649ece179ee00a1ddc46fb9e73955c77c9

SHA256
c9311982c1c7de42b9e67b3958cb04e856c3ddb6757c430f2a9db5c9a67d928f

SHA512
608f287c361b717e2a3f5496ff717d79bcd23fbc4c287936e39d0e589b7313dac05736e8626e5e23c10d7f969aaa77817a2b658e307938b7b4391392a0fb9752

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf230263-1273-432a-a9a0-3bc8d96ae5db.vbs

Filesize
706B

MD5
8df09abac1b3dc69e70974c331a3e635

SHA1
b8b3cfad870ed275de6f4e478fbc6ad68a7ab494

SHA256
5552f0fa3a59ada3436eed94a7d7c00b1be7d2ecc7242420c16083454e13d1c8

SHA512
fce36c30ddea9a3bdcc645aecff3b9b1794964dfd01208d8d325edb96a6e7d96cbebb1bc03f12b02cba7602b3f8c833a0c327a47c5781dcb1e85c0247a28f6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2160a0d-a774-4048-9fe7-37a2c2c59a6b.vbs

Filesize
707B

MD5
c184fbf692fc825ef7c7ce95d33de7cb

SHA1
bc0c1d375687cec0f07d18c7f376b7ba4a9043e0

SHA256
9c9673676b0bd091ca11f6bf230bed26f43cf1b877d8f79c062193e8e93b70d9

SHA512
a66cd7b1a916078613b0d1b6b9d6837307bd81425b8414c1ac0b1901fae15abbad1f13ba22b32b2fff596f0174714aabc2605855b3efbee0259f0160e6ffc3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B5C.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\en-US\unsecapp.exe

Filesize
4.9MB

MD5
4e8b7b51735d29c877f1f0986f16d765

SHA1
86553a7b978fde2a5ff9a16f0c1ad93c81fd86e8

SHA256
eb3c82047b233a62ac2d477f2e69dc3e737e6950a8652344fa902161ee5a2044

SHA512
0ab5de068d53da54d19de87cf976eff357d26cae395acf4316deb51698cd8d2ecc3776b73a58239333ad266a3f0a0942fed8d3df14cc749a69431b70b4debbe8

Download Submit
memory/396-79-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/456-504-0x000000001D340000-0x000000001D442000-memory.dmp

Filesize
1.0MB

Download
memory/552-12-0x000000001C7B0000-0x000000001CCD8000-memory.dmp

Filesize
5.2MB

Download
memory/552-9-0x000000001BAA0000-0x000000001BAB0000-memory.dmp

Filesize
64KB

Download
memory/552-142-0x00007FFCBD1D3000-0x00007FFCBD1D5000-memory.dmp

Filesize
8KB

Download
memory/552-17-0x000000001C2A0000-0x000000001C2A8000-memory.dmp

Filesize
32KB

Download
memory/552-156-0x00007FFCBD1D0000-0x00007FFCBDC91000-memory.dmp

Filesize
10.8MB

Download
memory/552-1-0x0000000000810000-0x0000000000D04000-memory.dmp

Filesize
5.0MB

Download
memory/552-16-0x000000001C290000-0x000000001C298000-memory.dmp

Filesize
32KB

Download
memory/552-344-0x00007FFCBD1D0000-0x00007FFCBDC91000-memory.dmp

Filesize
10.8MB

Download
memory/552-14-0x000000001BAE0000-0x000000001BAEE000-memory.dmp

Filesize
56KB

Download
memory/552-15-0x000000001C280000-0x000000001C28E000-memory.dmp

Filesize
56KB

Download
memory/552-13-0x000000001BAD0000-0x000000001BADA000-memory.dmp

Filesize
40KB

Download
memory/552-0-0x00007FFCBD1D3000-0x00007FFCBD1D5000-memory.dmp

Filesize
8KB

Download
memory/552-11-0x000000001BAC0000-0x000000001BAD2000-memory.dmp

Filesize
72KB

Download
memory/552-10-0x000000001BAB0000-0x000000001BABA000-memory.dmp

Filesize
40KB

Download
memory/552-7-0x000000001BA70000-0x000000001BA80000-memory.dmp

Filesize
64KB

Download
memory/552-18-0x000000001C3B0000-0x000000001C3BC000-memory.dmp

Filesize
48KB

Download
memory/552-8-0x000000001BA80000-0x000000001BA96000-memory.dmp

Filesize
88KB

Download
memory/552-6-0x000000001BA10000-0x000000001BA18000-memory.dmp

Filesize
32KB

Download
memory/552-2-0x00007FFCBD1D0000-0x00007FFCBDC91000-memory.dmp

Filesize
10.8MB

Download
memory/552-3-0x000000001BB00000-0x000000001BC2E000-memory.dmp

Filesize
1.2MB

Download
memory/552-5-0x000000001C230000-0x000000001C280000-memory.dmp

Filesize
320KB

Download
memory/552-4-0x000000001B9F0000-0x000000001BA0C000-memory.dmp

Filesize
112KB

Download
memory/1916-453-0x000000001DA00000-0x000000001DB02000-memory.dmp

Filesize
1.0MB

Download
memory/2352-429-0x0000012DDE0F0000-0x0000012DDE13E000-memory.dmp

Filesize
312KB

Download
memory/2884-546-0x000000001D700000-0x000000001D802000-memory.dmp

Filesize
1.0MB

Download
memory/2884-547-0x000000001D700000-0x000000001D802000-memory.dmp

Filesize
1.0MB

Download
memory/3212-528-0x000000001D520000-0x000000001D622000-memory.dmp

Filesize
1.0MB

Download
memory/3396-480-0x000000001D300000-0x000000001D402000-memory.dmp

Filesize
1.0MB

Download
memory/4324-564-0x000000001D500000-0x000000001D602000-memory.dmp

Filesize
1.0MB

Download
memory/4764-250-0x000001D3FFE00000-0x000001D3FFE22000-memory.dmp

Filesize
136KB

Download
memory/4980-428-0x000000001D300000-0x000000001D402000-memory.dmp

Filesize
1.0MB

Download