colibri | 930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Size

4.9MB
MD5

5103a1bb4e59cbcc9d05cc7905681c9f
SHA1

2ef27ea1ad70d19c214586cf8f44a03853c6fdf1
SHA256

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246
SHA512

fc6aef981ab43609850d0b2e79fa4d22646c439f12a267b177b00a67afc1879000f195f1677b24f60250bc8839c4825294b094a902fece31942e8b8ef0ecf33a
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8s:U

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1580	schtasks.exe	83

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exe930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3368-3-0x000000001B7D0000-0x000000001B8FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3824	powershell.exe
1200	powershell.exe
3896	powershell.exe
432	powershell.exe
1052	powershell.exe
1600	powershell.exe
4772	powershell.exe
4352	powershell.exe
4532	powershell.exe
548	powershell.exe
3832	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dwm.exe

Executes dropped EXE 44 IoCs

Processes:

tmp983.tmp.exetmp983.tmp.exedwm.exetmp2A18.tmp.exetmp2A18.tmp.exedwm.exetmp4A33.tmp.exetmp4A33.tmp.exedwm.exetmp7CCC.tmp.exetmp7CCC.tmp.exedwm.exetmp98D0.tmp.exetmp98D0.tmp.exetmp98D0.tmp.exetmp98D0.tmp.exedwm.exetmpB561.tmp.exetmpB561.tmp.exedwm.exedwm.exetmp6BD.tmp.exetmp6BD.tmp.exedwm.exetmp380E.tmp.exetmp380E.tmp.exedwm.exetmp6B05.tmp.exetmp6B05.tmp.exedwm.exetmp868B.tmp.exetmp868B.tmp.exetmp868B.tmp.exedwm.exetmpB665.tmp.exetmpB665.tmp.exedwm.exetmpE891.tmp.exetmpE891.tmp.exedwm.exetmp1A01.tmp.exetmp1A01.tmp.exetmp1A01.tmp.exedwm.exe

pid	Process
1124	tmp983.tmp.exe
4612	tmp983.tmp.exe
2900	dwm.exe
2616	tmp2A18.tmp.exe
4180	tmp2A18.tmp.exe
3276	dwm.exe
2056	tmp4A33.tmp.exe
4564	tmp4A33.tmp.exe
2040	dwm.exe
2852	tmp7CCC.tmp.exe
2644	tmp7CCC.tmp.exe
3000	dwm.exe
2116	tmp98D0.tmp.exe
2112	tmp98D0.tmp.exe
2384	tmp98D0.tmp.exe
2920	tmp98D0.tmp.exe
2672	dwm.exe
2276	tmpB561.tmp.exe
4816	tmpB561.tmp.exe
3868	dwm.exe
1844	dwm.exe
2920	tmp6BD.tmp.exe
404	tmp6BD.tmp.exe
2772	dwm.exe
1416	tmp380E.tmp.exe
3064	tmp380E.tmp.exe
3620	dwm.exe
1876	tmp6B05.tmp.exe
2488	tmp6B05.tmp.exe
4608	dwm.exe
2880	tmp868B.tmp.exe
4104	tmp868B.tmp.exe
4300	tmp868B.tmp.exe
5068	dwm.exe
4296	tmpB665.tmp.exe
4248	tmpB665.tmp.exe
2104	dwm.exe
1132	tmpE891.tmp.exe
3460	tmpE891.tmp.exe
3980	dwm.exe
3088	tmp1A01.tmp.exe
928	tmp1A01.tmp.exe
3308	tmp1A01.tmp.exe
3908	dwm.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exedwm.exe930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Suspicious use of SetThreadContext 13 IoCs

Processes:

tmp983.tmp.exetmp2A18.tmp.exetmp4A33.tmp.exetmp7CCC.tmp.exetmp98D0.tmp.exetmpB561.tmp.exetmp6BD.tmp.exetmp380E.tmp.exetmp6B05.tmp.exetmp868B.tmp.exetmpB665.tmp.exetmpE891.tmp.exetmp1A01.tmp.exe

description	pid	Process	procid_target
PID 1124 set thread context of 4612	1124	tmp983.tmp.exe	110
PID 2616 set thread context of 4180	2616	tmp2A18.tmp.exe	150
PID 2056 set thread context of 4564	2056	tmp4A33.tmp.exe	160
PID 2852 set thread context of 2644	2852	tmp7CCC.tmp.exe	171
PID 2384 set thread context of 2920	2384	tmp98D0.tmp.exe	183
PID 2276 set thread context of 4816	2276	tmpB561.tmp.exe	193
PID 2920 set thread context of 404	2920	tmp6BD.tmp.exe	209
PID 1416 set thread context of 3064	1416	tmp380E.tmp.exe	218
PID 1876 set thread context of 2488	1876	tmp6B05.tmp.exe	228
PID 4104 set thread context of 4300	4104	tmp868B.tmp.exe	238
PID 4296 set thread context of 4248	4296	tmpB665.tmp.exe	247
PID 1132 set thread context of 3460	1132	tmpE891.tmp.exe	256
PID 928 set thread context of 3308	928	tmp1A01.tmp.exe	265

Drops file in Program Files directory 16 IoCs

Processes:

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe

description	ioc	Process
File created	C:\Program Files\Windows NT\6203df4a6bafc7	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Windows Security\BrowserCore\System.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Windows Multimedia Platform\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\System.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Windows NT\lsass.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\6cb0b6c459d5d3	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Windows Multimedia Platform\7b79031e89736c	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Windows NT\RCX14E3.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\RCX10AB.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX12CF.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\dwm.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Windows Security\BrowserCore\27d1bcfc3c54e0	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Program Files\Windows NT\lsass.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\RCX9F1.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\dwm.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe

Drops file in Windows directory 12 IoCs

Processes:

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe

description	ioc	Process
File created	C:\Windows\Migration\WTR\fontdrvhost.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Windows\Migration\WTR\5b884080fd4f94	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Windows\SystemApps\csrss.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Windows\ModemLogs\RCXE29.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Windows\ModemLogs\dllhost.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Windows\SystemApps\csrss.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Windows\SystemApps\886983d96e3d3e	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Windows\SystemApps\RCXC05.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Windows\Migration\WTR\RCX16F7.tmp	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File opened for modification	C:\Windows\Migration\WTR\fontdrvhost.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Windows\ModemLogs\dllhost.exe	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
File created	C:\Windows\ModemLogs\5940a34987c991	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp98D0.tmp.exetmp6BD.tmp.exetmpE891.tmp.exetmp2A18.tmp.exetmp380E.tmp.exetmpB665.tmp.exetmp98D0.tmp.exetmp98D0.tmp.exetmp868B.tmp.exetmp868B.tmp.exetmp1A01.tmp.exetmp4A33.tmp.exetmp7CCC.tmp.exetmpB561.tmp.exetmp6B05.tmp.exetmp1A01.tmp.exetmp983.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp98D0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6BD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE891.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2A18.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp380E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB665.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp98D0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp98D0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp868B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp868B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1A01.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4A33.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7CCC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB561.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6B05.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1A01.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp983.tmp.exe

Modifies registry class 14 IoCs

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2124	schtasks.exe
1584	schtasks.exe
2252	schtasks.exe
908	schtasks.exe
1284	schtasks.exe
2880	schtasks.exe
3900	schtasks.exe
2220	schtasks.exe
4436	schtasks.exe
2556	schtasks.exe
1916	schtasks.exe
4044	schtasks.exe
3604	schtasks.exe
4268	schtasks.exe
3068	schtasks.exe
404	schtasks.exe
1596	schtasks.exe
1952	schtasks.exe
1832	schtasks.exe
2464	schtasks.exe
4988	schtasks.exe
468	schtasks.exe
4348	schtasks.exe
3276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	Process
3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
1052	powershell.exe
1052	powershell.exe
4772	powershell.exe
4772	powershell.exe
4352	powershell.exe
4352	powershell.exe
3824	powershell.exe
3824	powershell.exe
432	powershell.exe
432	powershell.exe
3832	powershell.exe
3832	powershell.exe
4532	powershell.exe
4532	powershell.exe
548	powershell.exe
548	powershell.exe
1600	powershell.exe
1600	powershell.exe
1200	powershell.exe
1200	powershell.exe
3896	powershell.exe
3896	powershell.exe
1200	powershell.exe
3832	powershell.exe
4772	powershell.exe
1052	powershell.exe
1052	powershell.exe
4352	powershell.exe
3824	powershell.exe
4532	powershell.exe
1600	powershell.exe
432	powershell.exe
548	powershell.exe
3896	powershell.exe
2900	dwm.exe
3276	dwm.exe
2040	dwm.exe
3000	dwm.exe
2672	dwm.exe
3868	dwm.exe
1844	dwm.exe
2772	dwm.exe
3620	dwm.exe
4608	dwm.exe
5068	dwm.exe
2104	dwm.exe
3980	dwm.exe
3908	dwm.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	2900	dwm.exe
Token: SeDebugPrivilege	3276	dwm.exe
Token: SeDebugPrivilege	2040	dwm.exe
Token: SeDebugPrivilege	3000	dwm.exe
Token: SeDebugPrivilege	2672	dwm.exe
Token: SeDebugPrivilege	3868	dwm.exe
Token: SeDebugPrivilege	1844	dwm.exe
Token: SeDebugPrivilege	2772	dwm.exe
Token: SeDebugPrivilege	3620	dwm.exe
Token: SeDebugPrivilege	4608	dwm.exe
Token: SeDebugPrivilege	5068	dwm.exe
Token: SeDebugPrivilege	2104	dwm.exe
Token: SeDebugPrivilege	3980	dwm.exe
Token: SeDebugPrivilege	3908	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exetmp983.tmp.exedwm.exetmp2A18.tmp.exeWScript.exedwm.exetmp4A33.tmp.exe

description	pid	Process	procid_target
PID 3368 wrote to memory of 1124	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	108
PID 3368 wrote to memory of 1124	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	108
PID 3368 wrote to memory of 1124	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	108
PID 1124 wrote to memory of 4612	1124	tmp983.tmp.exe	110
PID 1124 wrote to memory of 4612	1124	tmp983.tmp.exe	110
PID 1124 wrote to memory of 4612	1124	tmp983.tmp.exe	110
PID 1124 wrote to memory of 4612	1124	tmp983.tmp.exe	110
PID 1124 wrote to memory of 4612	1124	tmp983.tmp.exe	110
PID 1124 wrote to memory of 4612	1124	tmp983.tmp.exe	110
PID 1124 wrote to memory of 4612	1124	tmp983.tmp.exe	110
PID 3368 wrote to memory of 3896	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	118
PID 3368 wrote to memory of 3896	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	118
PID 3368 wrote to memory of 432	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	119
PID 3368 wrote to memory of 432	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	119
PID 3368 wrote to memory of 4352	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	120
PID 3368 wrote to memory of 4352	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	120
PID 3368 wrote to memory of 1200	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	121
PID 3368 wrote to memory of 1200	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	121
PID 3368 wrote to memory of 3824	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	122
PID 3368 wrote to memory of 3824	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	122
PID 3368 wrote to memory of 3832	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	125
PID 3368 wrote to memory of 3832	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	125
PID 3368 wrote to memory of 4772	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	127
PID 3368 wrote to memory of 4772	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	127
PID 3368 wrote to memory of 548	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	128
PID 3368 wrote to memory of 548	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	128
PID 3368 wrote to memory of 1600	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	129
PID 3368 wrote to memory of 1600	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	129
PID 3368 wrote to memory of 4532	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	130
PID 3368 wrote to memory of 4532	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	130
PID 3368 wrote to memory of 1052	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	131
PID 3368 wrote to memory of 1052	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	131
PID 3368 wrote to memory of 2900	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	142
PID 3368 wrote to memory of 2900	3368	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe	142
PID 2900 wrote to memory of 2536	2900	dwm.exe	146
PID 2900 wrote to memory of 2536	2900	dwm.exe	146
PID 2900 wrote to memory of 3948	2900	dwm.exe	147
PID 2900 wrote to memory of 3948	2900	dwm.exe	147
PID 2900 wrote to memory of 2616	2900	dwm.exe	148
PID 2900 wrote to memory of 2616	2900	dwm.exe	148
PID 2900 wrote to memory of 2616	2900	dwm.exe	148
PID 2616 wrote to memory of 4180	2616	tmp2A18.tmp.exe	150
PID 2616 wrote to memory of 4180	2616	tmp2A18.tmp.exe	150
PID 2616 wrote to memory of 4180	2616	tmp2A18.tmp.exe	150
PID 2616 wrote to memory of 4180	2616	tmp2A18.tmp.exe	150
PID 2616 wrote to memory of 4180	2616	tmp2A18.tmp.exe	150
PID 2616 wrote to memory of 4180	2616	tmp2A18.tmp.exe	150
PID 2616 wrote to memory of 4180	2616	tmp2A18.tmp.exe	150
PID 2536 wrote to memory of 3276	2536	WScript.exe	153
PID 2536 wrote to memory of 3276	2536	WScript.exe	153
PID 3276 wrote to memory of 2708	3276	dwm.exe	155
PID 3276 wrote to memory of 2708	3276	dwm.exe	155
PID 3276 wrote to memory of 1176	3276	dwm.exe	156
PID 3276 wrote to memory of 1176	3276	dwm.exe	156
PID 3276 wrote to memory of 2056	3276	dwm.exe	158
PID 3276 wrote to memory of 2056	3276	dwm.exe	158
PID 3276 wrote to memory of 2056	3276	dwm.exe	158
PID 2056 wrote to memory of 4564	2056	tmp4A33.tmp.exe	160
PID 2056 wrote to memory of 4564	2056	tmp4A33.tmp.exe	160
PID 2056 wrote to memory of 4564	2056	tmp4A33.tmp.exe	160
PID 2056 wrote to memory of 4564	2056	tmp4A33.tmp.exe	160
PID 2056 wrote to memory of 4564	2056	tmp4A33.tmp.exe	160
PID 2056 wrote to memory of 4564	2056	tmp4A33.tmp.exe	160
PID 2056 wrote to memory of 4564	2056	tmp4A33.tmp.exe	160

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

Processes:

dwm.exe930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe
"C:\Users\Admin\AppData\Local\Temp\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368
- C:\Users\Admin\AppData\Local\Temp\tmp983.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp983.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\tmp983.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp983.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
  "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3ca2fb6-f8d3-4534-b153-94a4fd073a2c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
      "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3276
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50b8c2c6-b97f-4f4f-81d9-c2b96bcb6361.vbs"
        5⤵
        
        PID:2708
      - C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6467ad42-6d76-48c4-b17a-5e55812013e4.vbs"
        7⤵
        
        PID:3516
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88860ed0-807d-4a45-9a7e-fead8d89001d.vbs"
        9⤵
        
        PID:1284
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72af8c3d-8f36-4812-8f19-9ca85c2b10fb.vbs"
        11⤵
        
        PID:3928
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690e112-cbf0-4a51-af62-e1283492a87c.vbs"
        13⤵
        
        PID:4444
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eb9b93a-29b8-4115-86f4-b4b9d1354ac3.vbs"
        15⤵
        
        PID:4968
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf25569-b389-462a-9252-1950af2d09e1.vbs"
        17⤵
        
        PID:2892
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87b4f1a1-c4b3-4149-935c-8588be26c7af.vbs"
        19⤵
        
        PID:1048
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd006c09-ae67-467c-8770-e8ebebfe526e.vbs"
        21⤵
        
        PID:2920
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19b52944-64bd-4c67-84e0-a7e4acca63df.vbs"
        23⤵
        
        PID:4664
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6158db4-9d4a-4c23-ace6-c5e2a3524a83.vbs"
        25⤵
        
        PID:4308
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\529697a7-6973-4f70-9b04-adeb8cc20e80.vbs"
        27⤵
        
        PID:3952
        
        C:\Program Files\Microsoft Office\PackageManifests\dwm.exe
        
        "C:\Program Files\Microsoft Office\PackageManifests\dwm.exe"
        28⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6616e0ee-638b-4978-ae37-5eb6411a0d99.vbs"
        29⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a6c357a-bd9d-417f-8ee6-7212a8d9b4e4.vbs"
        29⤵
        
        PID:5092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e202686-8be8-40d1-8ef0-a29f37b7aeb7.vbs"
        27⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp1A01.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A01.tmp.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp1A01.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A01.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp1A01.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A01.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\384c8892-1227-4206-a264-d19ed081e2c1.vbs"
        25⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmpE891.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE891.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmpE891.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE891.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da9e8986-b14b-4035-a53b-7111ebdbb7d7.vbs"
        23⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmpB665.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB665.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmpB665.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB665.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21035470-1310-4da7-bc94-8c469bf94222.vbs"
        21⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp868B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp868B.tmp.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\tmp868B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp868B.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp868B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp868B.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e18e7a8-74af-47b0-b37e-6971a2326e5b.vbs"
        19⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp6B05.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6B05.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp6B05.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6B05.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7262c15d-42fb-4323-a368-22971f2f8d87.vbs"
        17⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp380E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp380E.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp380E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp380E.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13e42dfd-9263-4302-8922-51b9b02be10d.vbs"
        15⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp6BD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6BD.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp6BD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6BD.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12b99b35-329b-4525-b945-179be7e98a7b.vbs"
        13⤵
        
        PID:4000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed6a2c5a-71ef-4378-b6bd-c7ed68a49660.vbs"
        11⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmpB561.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB561.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmpB561.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB561.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b531def5-29e8-4c6e-b7bc-7bcbf14d1a8a.vbs"
        9⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp98D0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp98D0.tmp.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\tmp98D0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp98D0.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp98D0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp98D0.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmp98D0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp98D0.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff063638-7687-48f1-8960-a3adf4108838.vbs"
        7⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7CCC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7CCC.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7CCC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7CCC.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:2644
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b11a532d-37c2-47c3-a410-e365d73a565e.vbs"
        5⤵
        
        PID:1176
    - - C:\Users\Admin\AppData\Local\Temp\tmp4A33.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4A33.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\tmp4A33.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4A33.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:4564
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b180083-820b-4f4e-b278-d3c58eb5d8b3.vbs"
    3⤵
    PID:3948
- - C:\Users\Admin\AppData\Local\Temp\tmp2A18.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp2A18.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\tmp2A18.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp2A18.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\SoftwareDistribution\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\SoftwareDistribution\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SystemApps\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\SystemApps\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a62469" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a62469" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Security\BrowserCore\RCX10AB.tmp

Filesize
4.9MB

MD5
bd3f791cb46b58c031b05533cb91d827

SHA1
94491086657cf38bf64b0a318441a7441125a2d8

SHA256
a5630815ccc500088788c172f9a538a591f7f649e38bab8311bc2e00cd9b232b

SHA512
3451587e3a042b0cb806514ee44b7930ba62aa2851d007a9fd63f71467ffb2ede356ae5706198bf17a4aa0ec68fa2fbc893f995593139a5c760c4ad1c46cf344

Download Submit
C:\Program Files\Windows Security\BrowserCore\System.exe

Filesize
4.9MB

MD5
5103a1bb4e59cbcc9d05cc7905681c9f

SHA1
2ef27ea1ad70d19c214586cf8f44a03853c6fdf1

SHA256
930040236d537be63b44b58c59f263d25d9af869abedff8e80d87157b99a6246

SHA512
fc6aef981ab43609850d0b2e79fa4d22646c439f12a267b177b00a67afc1879000f195f1677b24f60250bc8839c4825294b094a902fece31942e8b8ef0ecf33a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\1690e112-cbf0-4a51-af62-e1283492a87c.vbs

Filesize
734B

MD5
cb3cd423c1c9c68500dd52ea658ab0b4

SHA1
c0cbfd5dbcaccf4fd16ceb48ed8c10bf92fd09e6

SHA256
0db581a607f260c6f5fe8a5c763eedef973527a1ce1a618e1a8d69513c2154a4

SHA512
74567e3b94cde5ace31c32b41966e38657cea711ef0370353ba2a69a079817dce96e89ce5a1170b5fff1e468381fd5affc2f8f288dd6b9494c30c6f56fa08114

Download Submit
C:\Users\Admin\AppData\Local\Temp\1eb9b93a-29b8-4115-86f4-b4b9d1354ac3.vbs

Filesize
734B

MD5
e08084fa4299abefc894486aa258fb1a

SHA1
74045d328c4300e69f72944781714a0022ecaa8b

SHA256
f986e56ce12e75a4fb8eba619727cb435455f390243539e7fb2e3901ecda27f7

SHA512
9ace0bae0594e11307bedc2713c2d1c7a442e460f01ccca2f3081bcd5bb0f924c78d2ca1d21fa0c28d2d83ab3992bb1ce729b2c86f9eab2aa9e010d68dde76de

Download Submit
C:\Users\Admin\AppData\Local\Temp\50b8c2c6-b97f-4f4f-81d9-c2b96bcb6361.vbs

Filesize
734B

MD5
7be92cf0fdfc7b9ed42059c2ade09881

SHA1
144fba7fcf873f77b1ec256b682cef6161e963fb

SHA256
e7e6a146721121ad56ed6c9b3a24283d786f1bfac4eeb59f794747f96657cb29

SHA512
85615590b86a9ebc62d37eab535e0690f147ff937450d3bfb34fdac6150c3f6aec3af16a0aa61090528db146ffbccc1812a48c67bfe2cb67c0aa542a8e1e7173

Download Submit
C:\Users\Admin\AppData\Local\Temp\6467ad42-6d76-48c4-b17a-5e55812013e4.vbs

Filesize
734B

MD5
d53c71f5ba4ff3c884ef501f507df7e0

SHA1
2cd7af88d417ca92aa0e3b96695775c2c90f7ce3

SHA256
64e152bafd7946ebeb57c9c499fe04f75be0eeede9eac5fefb9dbfd8eea81eff

SHA512
eabcb0808aee73b4d9f37ad2e53c3b235c934268ee2334ad160d9ee295d0de80739c6af0219b5d82a59cf60866e6d9773ee99415a7bf2b06ac2bccfa0fa8e0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\72af8c3d-8f36-4812-8f19-9ca85c2b10fb.vbs

Filesize
734B

MD5
1dd3de0fd2e35f8a36d34ce4efe2f342

SHA1
b66c5a992d2fbdbeb7cf5a323c443988d9909f76

SHA256
63b73b5eb12cb54b657c66390a695a111d19b4d88ebe3e38bd22ac516096f3e8

SHA512
21e794ae8fac5a06fd608ed1bf2a0fcf677e567e674187a3a84fee60c6be423541264ff3ce1898d2d394af4cf3648e2859a1bcd02a64fccab44d31317438d500

Download Submit
C:\Users\Admin\AppData\Local\Temp\88860ed0-807d-4a45-9a7e-fead8d89001d.vbs

Filesize
734B

MD5
4e8b385d0f7c39d3e319530dacdb81db

SHA1
e77bb3ea459145abbee53f3fed02be89566ca04c

SHA256
579d1226c52f3cab7d9332641ba17b0dc0e0cc5533a351d8f110a66f28658221

SHA512
79be121cb07ce3bf9076c7212def0a19ae072453cfe8697139a4b5f40b05c0f1f8de4123b832b4f4047168c7189912af73cdb89a439bd954e98b59262dd1153f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b180083-820b-4f4e-b278-d3c58eb5d8b3.vbs

Filesize
510B

MD5
72ce7df12746bb158d85025a86fff432

SHA1
eb921558461f00c2e9f0a2fab93e6e3f034fa5f9

SHA256
7c4e56935a4b2443f37779f0c11853cd22f324bfa4f69af527bf674692a42452

SHA512
1a898a196213f2cb92cadfbf26b0bfa76919100b3daa69bf507b038e479f96f51a8638b45398aee03edf80bc9eeb402ea3c5abe1134d04a5329ad604f8ea3c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejkmtjos.prg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3ca2fb6-f8d3-4534-b153-94a4fd073a2c.vbs

Filesize
734B

MD5
cc705f7e4dd50829d84beee5535ac5df

SHA1
c4da2e6afd82542f77f24e1fad6293db71b62128

SHA256
4e75e555bbac3e2990b891a61e387071c0c0a64062820eed79407af5bf22c2a6

SHA512
1773e40e4a3757aedc410e94d338627bde33b38a6c1d4d20e429bf9ffb1374ff9ac2d601b4e0e137c5b6eb5b00b6a5d57c1cd366b523fff9c77bc6399604e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp983.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/1052-158-0x000001A824AE0000-0x000001A824B02000-memory.dmp

Filesize
136KB

Download
memory/2104-512-0x000000001B990000-0x000000001B9A2000-memory.dmp

Filesize
72KB

Download
memory/3368-10-0x000000001B7B0000-0x000000001B7BA000-memory.dmp

Filesize
40KB

Download
memory/3368-16-0x000000001BFA0000-0x000000001BFA8000-memory.dmp

Filesize
32KB

Download
memory/3368-18-0x000000001BFC0000-0x000000001BFCC000-memory.dmp

Filesize
48KB

Download
memory/3368-13-0x000000001BF70000-0x000000001BF7A000-memory.dmp

Filesize
40KB

Download
memory/3368-17-0x000000001BFB0000-0x000000001BFB8000-memory.dmp

Filesize
32KB

Download
memory/3368-14-0x000000001BF80000-0x000000001BF8E000-memory.dmp

Filesize
56KB

Download
memory/3368-264-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/3368-15-0x000000001BF90000-0x000000001BF9E000-memory.dmp

Filesize
56KB

Download
memory/3368-12-0x000000001C4A0000-0x000000001C9C8000-memory.dmp

Filesize
5.2MB

Download
memory/3368-8-0x000000001B780000-0x000000001B796000-memory.dmp

Filesize
88KB

Download
memory/3368-9-0x000000001B7A0000-0x000000001B7B0000-memory.dmp

Filesize
64KB

Download
memory/3368-0-0x00007FFB253C3000-0x00007FFB253C5000-memory.dmp

Filesize
8KB

Download
memory/3368-11-0x000000001BF60000-0x000000001BF72000-memory.dmp

Filesize
72KB

Download
memory/3368-5-0x000000001B900000-0x000000001B950000-memory.dmp

Filesize
320KB

Download
memory/3368-6-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/3368-7-0x000000001B770000-0x000000001B780000-memory.dmp

Filesize
64KB

Download
memory/3368-4-0x0000000002BD0000-0x0000000002BEC000-memory.dmp

Filesize
112KB

Download
memory/3368-3-0x000000001B7D0000-0x000000001B8FE000-memory.dmp

Filesize
1.2MB

Download
memory/3368-2-0x00007FFB253C0000-0x00007FFB25E81000-memory.dmp

Filesize
10.8MB

Download
memory/3368-1-0x0000000000520000-0x0000000000A14000-memory.dmp

Filesize
5.0MB

Download
memory/3620-460-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/4612-61-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5068-495-0x000000001B7E0000-0x000000001B7F2000-memory.dmp

Filesize
72KB

Download