colibri | 7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Size

4.9MB
MD5

9f101118f7c7a990e1991adffbd13a90
SHA1

aa29ddbcd084d3bb62584d55cb51011e51b0f0ce
SHA256

7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3
SHA512

3e21074feb16b2f59b41db35142ec3d2102602cd0f7f6a102eae4d972e3a4a40505a65dc9144ba0730dca3f4717324b21076da9fe41712d45a3d8166fc1bf55a
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4444	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4444	schtasks.exe	83

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3248-3-0x000000001B8C0000-0x000000001B9EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
912	powershell.exe
5100	powershell.exe
4448	powershell.exe
4436	powershell.exe
4432	powershell.exe
3428	powershell.exe
2444	powershell.exe
4596	powershell.exe
1340	powershell.exe
4392	powershell.exe
4468	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 31 IoCs

pid	Process
868	tmp9FCC.tmp.exe
2844	tmp9FCC.tmp.exe
1008	dwm.exe
3040	tmpEB1B.tmp.exe
4768	tmpEB1B.tmp.exe
4672	dwm.exe
2128	dwm.exe
972	dwm.exe
3656	tmp53B9.tmp.exe
1268	tmp53B9.tmp.exe
3956	dwm.exe
4052	tmp71FF.tmp.exe
2648	tmp71FF.tmp.exe
1404	dwm.exe
3788	tmpA311.tmp.exe
2488	tmpA311.tmp.exe
432	dwm.exe
776	tmpC0DA.tmp.exe
5108	tmpC0DA.tmp.exe
1140	tmpC0DA.tmp.exe
4004	dwm.exe
3316	dwm.exe
1856	tmpCB8.tmp.exe
4224	tmpCB8.tmp.exe
3928	dwm.exe
4764	tmp290A.tmp.exe
2496	tmp290A.tmp.exe
4288	tmp290A.tmp.exe
4964	dwm.exe
2744	tmp57FA.tmp.exe
1556	tmp57FA.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 868 set thread context of 2844	868	tmp9FCC.tmp.exe	142
PID 3040 set thread context of 4768	3040	tmpEB1B.tmp.exe	187
PID 3656 set thread context of 1268	3656	tmp53B9.tmp.exe	209
PID 4052 set thread context of 2648	4052	tmp71FF.tmp.exe	219
PID 3788 set thread context of 2488	3788	tmpA311.tmp.exe	228
PID 5108 set thread context of 1140	5108	tmpC0DA.tmp.exe	238
PID 1856 set thread context of 4224	1856	tmpCB8.tmp.exe	252
PID 2496 set thread context of 4288	2496	tmp290A.tmp.exe	262
PID 2744 set thread context of 1556	2744	tmp57FA.tmp.exe	271

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files\ModifiableWindowsApps\winlogon.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXC391.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files\Windows Defender\uk-UA\6cb0b6c459d5d3	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\886983d96e3d3e	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCXAED7.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\System.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\dwm.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\System.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files\Windows Defender\uk-UA\dwm.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\RCXB158.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\TextInputHost.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\27d1bcfc3c54e0	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\taskhostw.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXA752.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\es-ES\OfficeClickToRun.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\Setup\State\RCXC18C.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\Boot\Resources\ja-JP\Idle.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\Prefetch\ReadyBoot\OfficeClickToRun.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\Prefetch\ReadyBoot\e6c9b481da804f	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\Setup\State\dllhost.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCXA329.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\taskhostw.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\ea9f0e6c9e2dcd	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\es-ES\RCXBD73.tmp	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\es-ES\OfficeClickToRun.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\es-ES\e6c9b481da804f	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File created	C:\Windows\Setup\State\5940a34987c991	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\OfficeClickToRun.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
File opened for modification	C:\Windows\Setup\State\dllhost.exe	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp53B9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA311.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC0DA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC0DA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp290A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp57FA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9FCC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEB1B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp290A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp71FF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCB8.tmp.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
932	schtasks.exe
2316	schtasks.exe
4840	schtasks.exe
3448	schtasks.exe
2000	schtasks.exe
2496	schtasks.exe
2200	schtasks.exe
1148	schtasks.exe
1588	schtasks.exe
2892	schtasks.exe
3916	schtasks.exe
2648	schtasks.exe
4064	schtasks.exe
960	schtasks.exe
4496	schtasks.exe
920	schtasks.exe
1264	schtasks.exe
2976	schtasks.exe
4240	schtasks.exe
1048	schtasks.exe
1556	schtasks.exe
3832	schtasks.exe
4488	schtasks.exe
3940	schtasks.exe
4100	schtasks.exe
4600	schtasks.exe
5108	schtasks.exe
3380	schtasks.exe
1848	schtasks.exe
4536	schtasks.exe
2444	schtasks.exe
3636	schtasks.exe
2492	schtasks.exe
2080	schtasks.exe
2820	schtasks.exe
4528	schtasks.exe
2268	schtasks.exe
4356	schtasks.exe
2876	schtasks.exe
4452	schtasks.exe
4936	schtasks.exe
2752	schtasks.exe
632	schtasks.exe
448	schtasks.exe
3100	schtasks.exe
1124	schtasks.exe
2828	schtasks.exe
1224	schtasks.exe
3352	schtasks.exe
5028	schtasks.exe
1348	schtasks.exe
1788	schtasks.exe
4232	schtasks.exe
4988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
4392	powershell.exe
4392	powershell.exe
4448	powershell.exe
4448	powershell.exe
4432	powershell.exe
4432	powershell.exe
4436	powershell.exe
912	powershell.exe
912	powershell.exe
4436	powershell.exe
1340	powershell.exe
1340	powershell.exe
4468	powershell.exe
4468	powershell.exe
2444	powershell.exe
2444	powershell.exe
5100	powershell.exe
5100	powershell.exe
4596	powershell.exe
4596	powershell.exe
4436	powershell.exe
4468	powershell.exe
3428	powershell.exe
3428	powershell.exe
1340	powershell.exe
5100	powershell.exe
4392	powershell.exe
4448	powershell.exe
912	powershell.exe
4432	powershell.exe
3428	powershell.exe
2444	powershell.exe
4596	powershell.exe
1008	dwm.exe
4672	dwm.exe
2128	dwm.exe
972	dwm.exe
3956	dwm.exe
1404	dwm.exe
432	dwm.exe
4004	dwm.exe
3316	dwm.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	1008	dwm.exe
Token: SeDebugPrivilege	4672	dwm.exe
Token: SeDebugPrivilege	2128	dwm.exe
Token: SeDebugPrivilege	972	dwm.exe
Token: SeDebugPrivilege	3956	dwm.exe
Token: SeDebugPrivilege	1404	dwm.exe
Token: SeDebugPrivilege	432	dwm.exe
Token: SeDebugPrivilege	4004	dwm.exe
Token: SeDebugPrivilege	3316	dwm.exe
Token: SeDebugPrivilege	3928	dwm.exe
Token: SeDebugPrivilege	4964	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 868	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	140
PID 3248 wrote to memory of 868	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	140
PID 3248 wrote to memory of 868	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	140
PID 868 wrote to memory of 2844	868	tmp9FCC.tmp.exe	142
PID 868 wrote to memory of 2844	868	tmp9FCC.tmp.exe	142
PID 868 wrote to memory of 2844	868	tmp9FCC.tmp.exe	142
PID 868 wrote to memory of 2844	868	tmp9FCC.tmp.exe	142
PID 868 wrote to memory of 2844	868	tmp9FCC.tmp.exe	142
PID 868 wrote to memory of 2844	868	tmp9FCC.tmp.exe	142
PID 868 wrote to memory of 2844	868	tmp9FCC.tmp.exe	142
PID 3248 wrote to memory of 1340	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	154
PID 3248 wrote to memory of 1340	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	154
PID 3248 wrote to memory of 4432	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	155
PID 3248 wrote to memory of 4432	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	155
PID 3248 wrote to memory of 4448	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	156
PID 3248 wrote to memory of 4448	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	156
PID 3248 wrote to memory of 4436	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	158
PID 3248 wrote to memory of 4436	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	158
PID 3248 wrote to memory of 4392	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	159
PID 3248 wrote to memory of 4392	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	159
PID 3248 wrote to memory of 4596	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	161
PID 3248 wrote to memory of 4596	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	161
PID 3248 wrote to memory of 2444	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	163
PID 3248 wrote to memory of 2444	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	163
PID 3248 wrote to memory of 4468	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	166
PID 3248 wrote to memory of 4468	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	166
PID 3248 wrote to memory of 3428	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	168
PID 3248 wrote to memory of 3428	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	168
PID 3248 wrote to memory of 912	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	169
PID 3248 wrote to memory of 912	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	169
PID 3248 wrote to memory of 5100	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	170
PID 3248 wrote to memory of 5100	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	170
PID 3248 wrote to memory of 1716	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	176
PID 3248 wrote to memory of 1716	3248	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe	176
PID 1716 wrote to memory of 2140	1716	cmd.exe	178
PID 1716 wrote to memory of 2140	1716	cmd.exe	178
PID 1716 wrote to memory of 1008	1716	cmd.exe	180
PID 1716 wrote to memory of 1008	1716	cmd.exe	180
PID 1008 wrote to memory of 2456	1008	dwm.exe	182
PID 1008 wrote to memory of 2456	1008	dwm.exe	182
PID 1008 wrote to memory of 3592	1008	dwm.exe	183
PID 1008 wrote to memory of 3592	1008	dwm.exe	183
PID 1008 wrote to memory of 3040	1008	dwm.exe	185
PID 1008 wrote to memory of 3040	1008	dwm.exe	185
PID 1008 wrote to memory of 3040	1008	dwm.exe	185
PID 3040 wrote to memory of 4768	3040	tmpEB1B.tmp.exe	187
PID 3040 wrote to memory of 4768	3040	tmpEB1B.tmp.exe	187
PID 3040 wrote to memory of 4768	3040	tmpEB1B.tmp.exe	187
PID 3040 wrote to memory of 4768	3040	tmpEB1B.tmp.exe	187
PID 3040 wrote to memory of 4768	3040	tmpEB1B.tmp.exe	187
PID 3040 wrote to memory of 4768	3040	tmpEB1B.tmp.exe	187
PID 3040 wrote to memory of 4768	3040	tmpEB1B.tmp.exe	187
PID 2456 wrote to memory of 4672	2456	WScript.exe	192
PID 2456 wrote to memory of 4672	2456	WScript.exe	192
PID 4672 wrote to memory of 5008	4672	dwm.exe	195
PID 4672 wrote to memory of 5008	4672	dwm.exe	195
PID 4672 wrote to memory of 1408	4672	dwm.exe	196
PID 4672 wrote to memory of 1408	4672	dwm.exe	196
PID 5008 wrote to memory of 2128	5008	WScript.exe	198
PID 5008 wrote to memory of 2128	5008	WScript.exe	198
PID 2128 wrote to memory of 1340	2128	dwm.exe	200
PID 2128 wrote to memory of 1340	2128	dwm.exe	200
PID 2128 wrote to memory of 3632	2128	dwm.exe	201
PID 2128 wrote to memory of 3632	2128	dwm.exe	201

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe
"C:\Users\Admin\AppData\Local\Temp\7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3248
- C:\Users\Admin\AppData\Local\Temp\tmp9FCC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9FCC.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Local\Temp\tmp9FCC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9FCC.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\duz3xuQ10k.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2140
- - C:\Users\Public\Libraries\dwm.exe
    "C:\Users\Public\Libraries\dwm.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1008
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1f0650d-e06c-4482-aabe-17a61d129b35.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4672
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14146576-ebc2-4991-a05d-cd57a007b1fc.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a583c19f-5395-4e47-be72-45eb5f751a67.vbs"
        8⤵
        
        PID:1340
        
        C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dfe7396-94b7-4405-8c57-0be44e13c4ac.vbs"
        10⤵
        
        PID:3904
        
        C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d35b9732-1122-4766-a14a-b0fda1ece827.vbs"
        12⤵
        
        PID:4308
        
        C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4930d0ae-ef55-4dc3-804d-739f5d92e965.vbs"
        14⤵
        
        PID:1904
        
        C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0185b30-04fd-4656-b60f-c3bd1d023247.vbs"
        16⤵
        
        PID:1216
        
        C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fee0303-0a60-4118-ac74-b847d7d5eb9e.vbs"
        18⤵
        
        PID:4748
        
        C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fa46e8c-9024-4471-a0dd-2a0c7f33c84a.vbs"
        20⤵
        
        PID:4948
        
        C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\498e137f-6432-4096-b391-3b92cce6b2c9.vbs"
        22⤵
        
        PID:1496
        
        C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f67b58b8-e066-4510-bd52-3c3e275fb246.vbs"
        24⤵
        
        PID:2276
        
        C:\Users\Public\Libraries\dwm.exe
        
        C:\Users\Public\Libraries\dwm.exe
        25⤵
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c2f8815-de7b-4017-b0cc-298219fb5528.vbs"
        24⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp57FA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp57FA.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp57FA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp57FA.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\492b0f5b-a5aa-4eb9-b7bf-d44c510b84b4.vbs"
        22⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp290A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp290A.tmp.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp290A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp290A.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\tmp290A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp290A.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecd140f8-bb37-4b3e-906c-4d07e23e4f94.vbs"
        20⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmpCB8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCB8.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmpCB8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCB8.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15e5f9df-aa03-4397-aeb2-76372323bf0e.vbs"
        18⤵
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7437e766-225f-4fcc-8c62-5fb14829dd94.vbs"
        16⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\tmpC0DA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC0DA.tmp.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmpC0DA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC0DA.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmpC0DA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC0DA.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3de13f7d-5b55-40ca-9c42-ac355203b4eb.vbs"
        14⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmpA311.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA311.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmpA311.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA311.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af1bf112-a661-4727-9a22-b11a6658bde2.vbs"
        12⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp71FF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp71FF.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp71FF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp71FF.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93619412-b442-4988-9fdc-7fe3bfbdaf45.vbs"
        10⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp53B9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp53B9.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp53B9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp53B9.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37a9b383-048e-4b68-905a-740e7bb2465d.vbs"
        8⤵
        
        PID:3632
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\004e6806-6132-4f78-ac45-23b17ef74ec4.vbs"
        6⤵
        
        PID:1408
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65b4870f-1ce7-4d47-91db-3d5bc76687df.vbs"
      4⤵
      PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\tmpEB1B.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpEB1B.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\tmpEB1B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEB1B.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\uk-UA\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\uk-UA\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\uk-UA\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RCXB8DD.tmp

Filesize
4.9MB

MD5
2bb621df8438f8c0b10673e6ec3527ea

SHA1
1d299d2db0b6de6b920d424a916ed5dfabbf95f0

SHA256
a460b500836646a7dd97e4181219e1c366aebd3f377487dbdaeaad191451b17a

SHA512
984c7f8d95bc6cb47856eb405a7a5e7f4e43e77639b9ffd270133ee8ae46472373200689b652a6eaf6972b09c0db8736a5ea97294ecbec53d80e1516f9cd16dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
192B

MD5
a892de23b6ca2395b3314e9426551811

SHA1
3ba3cfe655091b9fbc7fb8fc0cad7cec354261df

SHA256
a44c73a2dedbf8b358ad9c0000e7f2dd0d8856187592cb64428a996a167ba9b2

SHA512
4741ca52f6e243ee91b4697c79642f762e14e5a1ad161aee6431bfe7d505f9e2779db01bc37ac853f0bb3618eb386bdb6c05e3bab173deaca715c4119d3bff85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Temp\14146576-ebc2-4991-a05d-cd57a007b1fc.vbs

Filesize
709B

MD5
23aa0fd91ad1b27ad35e3bf1b786df12

SHA1
15634fefe06f0524af52e54339a25a63853d1eb4

SHA256
a271ae6c646ec451df68e09fb65f1c6708b47f7911bc55019f27e3c904f08bef

SHA512
5fedb1c671fa3c53d0ee8a481aea3de52798e545ff94f9431bd465c4fa00b363868e05d42c5d505a0b3e4ba87e4703fcd9b9dd339879bbc4584611da04a70fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dfe7396-94b7-4405-8c57-0be44e13c4ac.vbs

Filesize
708B

MD5
fb4ab79e9899aa45ed379d0f862280fd

SHA1
ff147f485ecbb385b60b58de49450ffa4b410bcb

SHA256
e69f8625d17bdfe9fc962b21d6f0ec26c15b51944503b0c238d823b3397b6f73

SHA512
cf453a540064f28ea3f22ccb4e2d44b5a4588bfb9a568e0d5487c1516b1878bc9923394a1823593fa33e08b0328ab5831e2b3d030d6f9b7c98ca520c356f5d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\4930d0ae-ef55-4dc3-804d-739f5d92e965.vbs

Filesize
709B

MD5
637192cbc0d1577331a55ea9d1e9b1a8

SHA1
17f83a8bae68013de350a78aa7448d9ec3f4243e

SHA256
de5b073a2675926e8f2d46dc758b14868e1b17462b5533592a0c04b6e3edea07

SHA512
a60760117a1f84f27acf34d5720866a8f2dda15a680132c1221636854c3b0da5dbae68abedfb268b34d412b164701f4bf8cb9d5e90bd8000690f3e80d54f4b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fee0303-0a60-4118-ac74-b847d7d5eb9e.vbs

Filesize
709B

MD5
7a0212b11651818ba37a113a49b48f49

SHA1
83a491958f449329941fbdfc51ca3e41d5ab1c80

SHA256
f58fb65029315f23557320261ea6222dac286e3e0e9510ffcc7da347e6f0e9a0

SHA512
92b75287d0e8e6b1f41d12d6003b0239e2320a40fefcb60b74011ec81a550724e236b131f0efec07e3d0bb8812c8dfa411a4083e1812370a47867cbd6e8d957d

Download Submit
C:\Users\Admin\AppData\Local\Temp\65b4870f-1ce7-4d47-91db-3d5bc76687df.vbs

Filesize
485B

MD5
d689786eb65252cea124c33469843ead

SHA1
5a7f8e64a2e942a147eec147acf19b476eba3b9d

SHA256
07447f2742582fd389e98290d2257ab6ba740bee06b62b5b72c7f53d12c421d3

SHA512
120b9d2f9437b0d1c75cab0e77daccdaa598b3173ef0863d147ab88adf664e420cabd96ddf8a820798fb1d40f744c813ed8f62729c98502278a53cec9dd249fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lj4zovtm.ilx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0185b30-04fd-4656-b60f-c3bd1d023247.vbs

Filesize
708B

MD5
39c3ac025f26a6602eb9405b60bb630e

SHA1
0b8964c51661b50480ad2e7d9e2cf26d78d1bcb6

SHA256
f1b7c6b6049ec11c67ae31f203c0b8cffbdf67e109b4f8f158490fa7af1bd373

SHA512
42db9359d913543fce085fe9cd0bcb9f664ff797f0c76d76a1523be79495673f5fa79126bc7a96e90944eb7781117dd9725bec4959f9f4db55d67b11aad9e8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a583c19f-5395-4e47-be72-45eb5f751a67.vbs

Filesize
709B

MD5
5996af547a30e028484976c4638ee167

SHA1
d1784e30bd98dd2e7afa36aa15358a6b8dc1d5da

SHA256
2d1143ad7391babc236c1484ff70bc943a4729a3548763ecaca9c8c19d783a04

SHA512
176284c65c4383948e8e7e9a8c5b382bb1ff9bc58811c997d24e0d530ee370dee294a24cf664ea314843104362ae870f46fe248f8dadc92de359263e0a576c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\d35b9732-1122-4766-a14a-b0fda1ece827.vbs

Filesize
709B

MD5
813ecdbb2cf8571d3d0a33edb14d2717

SHA1
b8e02e33f0682fec179f8edf95a767439bd3d3e0

SHA256
8fd26880aab223634b2b95bb4b8082cd0a2d181e8fedc060af8c7bd02d12e367

SHA512
df345e19d025373904fe20b9269dce6ea3c849d22870834bacdd16a91c0db272dfb0b99ed06a4c17f8d693e6e1cb13751c601ed4ffc4b9d3156e3ec5743895ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\duz3xuQ10k.bat

Filesize
198B

MD5
37415f6fac51f637f1a3c8041812e5a3

SHA1
35bd67de2d790a87ca179f7cbc842af8d48eec28

SHA256
7c72a2caccb51a87be2ea639f7a128640b9d4fe609fdb8a86b09083348e28e37

SHA512
9ae5598f8c8827f118a6c16d1a69979df2bb1b976e8a7d216476aff48f68ad5b22400de45d64ad75e36d53a21d5672ebf2ec877738d58ff1bc49ba5b46ca56d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1f0650d-e06c-4482-aabe-17a61d129b35.vbs

Filesize
709B

MD5
f1f827abed82677db35102041c49788e

SHA1
6810cc30e667e6a7e2775ae1f83b38fa3faf5888

SHA256
e5deb627c2c0728b78a77a8fe02e6b04ec26aded94c709cc0a1bfb44483ff86c

SHA512
34e778842f2fa1a98144f71bc9dc631de52258bddc46ef00875df96de0bcefb01233b5e279d4de799dd4296ffc1a9e88eaf51a3881f396dec1d37a871b689706

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9FCC.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Default\sihost.exe

Filesize
4.9MB

MD5
fe46525bd1894eec40dbd8a3b596cdde

SHA1
d7993f23147ac96358d0b88ab63060d83df23959

SHA256
f406052f18b703159df72deb690204d2464bda082d2b0aa9fc4ce165bae56299

SHA512
e63d83a60424b00336968bca32f6f3edfcd4df8eda46397394fc221e04b8b2531e47efd8a2078696a6c9e6c6a71be3ca85481f78382c9b815f15745d4597c860

Download Submit
C:\Windows\Prefetch\ReadyBoot\OfficeClickToRun.exe

Filesize
4.9MB

MD5
9f101118f7c7a990e1991adffbd13a90

SHA1
aa29ddbcd084d3bb62584d55cb51011e51b0f0ce

SHA256
7e79b4e78d2f12ea6993b17b118b1f2d6fd8cf1e03e4e3609a7b500395d6d4a3

SHA512
3e21074feb16b2f59b41db35142ec3d2102602cd0f7f6a102eae4d972e3a4a40505a65dc9144ba0730dca3f4717324b21076da9fe41712d45a3d8166fc1bf55a

Download Submit
C:\Windows\es-ES\RCXBD73.tmp

Filesize
4.9MB

MD5
cdc8b637c57b41ae411a8045bd3c0065

SHA1
87caa7930397b62445e1f5a94dacba5ac6ef2c3f

SHA256
9924635f50da630d1eed5addb324ce94f8bdb8d1c052b1f10d83aec09ff25641

SHA512
ce07d8188643fa0a06108b80a5b8f989721555c78510242c47394892fc232f0f26f734556b07e10074b9dd4d5d90204856b153b203d69456ec1232cf28859471

Download Submit
memory/972-369-0x0000000002EF0000-0x0000000002F02000-memory.dmp

Filesize
72KB

Download
memory/2128-357-0x000000001B640000-0x000000001B652000-memory.dmp

Filesize
72KB

Download
memory/2844-81-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3248-12-0x000000001C520000-0x000000001CA48000-memory.dmp

Filesize
5.2MB

Download
memory/3248-9-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

Filesize
64KB

Download
memory/3248-1-0x0000000000520000-0x0000000000A14000-memory.dmp

Filesize
5.0MB

Download
memory/3248-18-0x000000001B880000-0x000000001B88C000-memory.dmp

Filesize
48KB

Download
memory/3248-16-0x000000001B860000-0x000000001B868000-memory.dmp

Filesize
32KB

Download
memory/3248-17-0x000000001B870000-0x000000001B878000-memory.dmp

Filesize
32KB

Download
memory/3248-15-0x000000001B850000-0x000000001B85E000-memory.dmp

Filesize
56KB

Download
memory/3248-14-0x000000001B840000-0x000000001B84E000-memory.dmp

Filesize
56KB

Download
memory/3248-13-0x0000000002D00000-0x0000000002D0A000-memory.dmp

Filesize
40KB

Download
memory/3248-153-0x00007FF858790000-0x00007FF859251000-memory.dmp

Filesize
10.8MB

Download
memory/3248-11-0x0000000002CF0000-0x0000000002D02000-memory.dmp

Filesize
72KB

Download
memory/3248-10-0x0000000002CE0000-0x0000000002CEA000-memory.dmp

Filesize
40KB

Download
memory/3248-8-0x0000000002CB0000-0x0000000002CC6000-memory.dmp

Filesize
88KB

Download
memory/3248-195-0x00007FF858790000-0x00007FF859251000-memory.dmp

Filesize
10.8MB

Download
memory/3248-2-0x00007FF858790000-0x00007FF859251000-memory.dmp

Filesize
10.8MB

Download
memory/3248-5-0x000000001B7F0000-0x000000001B840000-memory.dmp

Filesize
320KB

Download
memory/3248-0-0x00007FF858793000-0x00007FF858795000-memory.dmp

Filesize
8KB

Download
memory/3248-6-0x0000000002C90000-0x0000000002C98000-memory.dmp

Filesize
32KB

Download
memory/3248-139-0x00007FF858793000-0x00007FF858795000-memory.dmp

Filesize
8KB

Download
memory/3248-7-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/3248-4-0x0000000002B20000-0x0000000002B3C000-memory.dmp

Filesize
112KB

Download
memory/3248-3-0x000000001B8C0000-0x000000001B9EE000-memory.dmp

Filesize
1.2MB

Download
memory/3928-492-0x000000001BE40000-0x000000001BE52000-memory.dmp

Filesize
72KB

Download
memory/4448-206-0x000001D37B460000-0x000001D37B482000-memory.dmp

Filesize
136KB

Download
memory/4672-345-0x000000001B580000-0x000000001B592000-memory.dmp

Filesize
72KB

Download