colibri | 456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Size

4.9MB
MD5

bc6d8c1824fbce3832a86042be6ce8ec
SHA1

5c750a20d9ddeb5be64ba89d220a8657adbce18b
SHA256

456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30
SHA512

abdc44b1d6694dea890128229b6bab2dbddd8bbf34d4413afefa84147f91b8dc855b6797d41505842fc181fa09b08cb79abaa720c23ceb1f06dd36a3e7676292
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	612	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	612	schtasks.exe	85

UAC bypass 3 TTPs 57 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/964-3-0x000000001C450000-0x000000001C57E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3472	powershell.exe
2544	powershell.exe
2272	powershell.exe
512	powershell.exe
5016	powershell.exe
4992	powershell.exe
812	powershell.exe
2108	powershell.exe
2868	powershell.exe
3600	powershell.exe
4668	powershell.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 57 IoCs

pid	Process
4272	tmpA480.tmp.exe
1452	tmpA480.tmp.exe
2404	backgroundTaskHost.exe
4572	tmpB6DC.tmp.exe
4664	tmpB6DC.tmp.exe
3548	backgroundTaskHost.exe
1444	tmpD801.tmp.exe
2388	tmpD801.tmp.exe
2680	backgroundTaskHost.exe
3940	backgroundTaskHost.exe
1040	backgroundTaskHost.exe
3420	tmp4198.tmp.exe
1004	tmp4198.tmp.exe
3548	tmp4198.tmp.exe
4804	backgroundTaskHost.exe
2404	tmp73D3.tmp.exe
4320	tmp73D3.tmp.exe
2300	backgroundTaskHost.exe
1976	tmp919C.tmp.exe
2024	tmp919C.tmp.exe
1208	backgroundTaskHost.exe
2996	tmpAEC9.tmp.exe
1116	tmpAEC9.tmp.exe
2184	backgroundTaskHost.exe
4884	tmpCC25.tmp.exe
756	tmpCC25.tmp.exe
3196	tmpCC25.tmp.exe
4272	tmpCC25.tmp.exe
2896	backgroundTaskHost.exe
228	tmpFCBA.tmp.exe
4456	tmpFCBA.tmp.exe
2388	backgroundTaskHost.exe
3612	tmp189F.tmp.exe
1612	tmp189F.tmp.exe
3944	backgroundTaskHost.exe
2412	tmp3483.tmp.exe
2064	tmp3483.tmp.exe
2160	backgroundTaskHost.exe
1912	tmp5087.tmp.exe
2252	tmp5087.tmp.exe
2440	backgroundTaskHost.exe
1188	tmp6D18.tmp.exe
3548	tmp6D18.tmp.exe
5020	tmp6D18.tmp.exe
3652	tmp6D18.tmp.exe
2044	tmp6D18.tmp.exe
3944	backgroundTaskHost.exe
2640	tmp8A54.tmp.exe
4404	tmp8A54.tmp.exe
2644	tmp8A54.tmp.exe
2916	backgroundTaskHost.exe
808	tmpA6E5.tmp.exe
1404	tmpA6E5.tmp.exe
2180	backgroundTaskHost.exe
2544	tmpC49E.tmp.exe
3440	tmpC49E.tmp.exe
1844	backgroundTaskHost.exe

Checks whether UAC is enabled 1 TTPs 38 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe

Suspicious use of SetThreadContext 16 IoCs

description	pid	Process	procid_target
PID 4272 set thread context of 1452	4272	tmpA480.tmp.exe	116
PID 4572 set thread context of 4664	4572	tmpB6DC.tmp.exe	127
PID 1444 set thread context of 2388	1444	tmpD801.tmp.exe	144
PID 1004 set thread context of 3548	1004	tmp4198.tmp.exe	169
PID 2404 set thread context of 4320	2404	tmp73D3.tmp.exe	179
PID 1976 set thread context of 2024	1976	tmp919C.tmp.exe	189
PID 2996 set thread context of 1116	2996	tmpAEC9.tmp.exe	198
PID 3196 set thread context of 4272	3196	tmpCC25.tmp.exe	209
PID 228 set thread context of 4456	228	tmpFCBA.tmp.exe	218
PID 3612 set thread context of 1612	3612	tmp189F.tmp.exe	227
PID 2412 set thread context of 2064	2412	tmp3483.tmp.exe	236
PID 1912 set thread context of 2252	1912	tmp5087.tmp.exe	246
PID 3652 set thread context of 2044	3652	tmp6D18.tmp.exe	257
PID 4404 set thread context of 2644	4404	tmp8A54.tmp.exe	267
PID 808 set thread context of 1404	808	tmpA6E5.tmp.exe	277
PID 2544 set thread context of 3440	2544	tmpC49E.tmp.exe	285

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File created	C:\Program Files (x86)\Windows Portable Devices\eddb19405b7ce1	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA0C5.tmp	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\sppsvc.exe	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB6DC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCC25.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6D18.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8A54.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC49E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCC25.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCC25.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFCBA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp189F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6D18.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA480.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD801.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4198.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp73D3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp919C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6D18.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA6E5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4198.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAEC9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3483.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5087.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6D18.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8A54.tmp.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	backgroundTaskHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4896	schtasks.exe
5000	schtasks.exe
3024	schtasks.exe
2596	schtasks.exe
4608	schtasks.exe
428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
4992	powershell.exe
4992	powershell.exe
512	powershell.exe
512	powershell.exe
2108	powershell.exe
2108	powershell.exe
3600	powershell.exe
3600	powershell.exe
2272	powershell.exe
2272	powershell.exe
2868	powershell.exe
2868	powershell.exe
2544	powershell.exe
2544	powershell.exe
5016	powershell.exe
5016	powershell.exe
4668	powershell.exe
4668	powershell.exe
812	powershell.exe
812	powershell.exe
3472	powershell.exe
3472	powershell.exe
812	powershell.exe
3600	powershell.exe
2108	powershell.exe
512	powershell.exe
2272	powershell.exe
2868	powershell.exe
4992	powershell.exe
5016	powershell.exe
2544	powershell.exe
3472	powershell.exe
4668	powershell.exe
2404	backgroundTaskHost.exe
2404	backgroundTaskHost.exe
3548	backgroundTaskHost.exe
2680	backgroundTaskHost.exe
3940	backgroundTaskHost.exe
1040	backgroundTaskHost.exe
4804	backgroundTaskHost.exe
2300	backgroundTaskHost.exe
1208	backgroundTaskHost.exe
2184	backgroundTaskHost.exe
2896	backgroundTaskHost.exe
2388	backgroundTaskHost.exe
3944	backgroundTaskHost.exe
2160	backgroundTaskHost.exe
2440	backgroundTaskHost.exe
3944	backgroundTaskHost.exe
2916	backgroundTaskHost.exe
2180	backgroundTaskHost.exe
1844	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2404	backgroundTaskHost.exe
Token: SeDebugPrivilege	3548	backgroundTaskHost.exe
Token: SeDebugPrivilege	2680	backgroundTaskHost.exe
Token: SeDebugPrivilege	3940	backgroundTaskHost.exe
Token: SeDebugPrivilege	1040	backgroundTaskHost.exe
Token: SeDebugPrivilege	4804	backgroundTaskHost.exe
Token: SeDebugPrivilege	2300	backgroundTaskHost.exe
Token: SeDebugPrivilege	1208	backgroundTaskHost.exe
Token: SeDebugPrivilege	2184	backgroundTaskHost.exe
Token: SeDebugPrivilege	2896	backgroundTaskHost.exe
Token: SeDebugPrivilege	2388	backgroundTaskHost.exe
Token: SeDebugPrivilege	3944	backgroundTaskHost.exe
Token: SeDebugPrivilege	2160	backgroundTaskHost.exe
Token: SeDebugPrivilege	2440	backgroundTaskHost.exe
Token: SeDebugPrivilege	3944	backgroundTaskHost.exe
Token: SeDebugPrivilege	2916	backgroundTaskHost.exe
Token: SeDebugPrivilege	2180	backgroundTaskHost.exe
Token: SeDebugPrivilege	1844	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 2544	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	93
PID 964 wrote to memory of 2544	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	93
PID 964 wrote to memory of 2108	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	94
PID 964 wrote to memory of 2108	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	94
PID 964 wrote to memory of 4272	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	92
PID 964 wrote to memory of 4272	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	92
PID 964 wrote to memory of 4272	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	92
PID 964 wrote to memory of 2272	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	95
PID 964 wrote to memory of 2272	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	95
PID 964 wrote to memory of 512	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	97
PID 964 wrote to memory of 512	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	97
PID 964 wrote to memory of 4992	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	98
PID 964 wrote to memory of 4992	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	98
PID 964 wrote to memory of 3600	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	99
PID 964 wrote to memory of 3600	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	99
PID 964 wrote to memory of 2868	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	100
PID 964 wrote to memory of 2868	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	100
PID 964 wrote to memory of 5016	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	101
PID 964 wrote to memory of 5016	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	101
PID 964 wrote to memory of 812	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	104
PID 964 wrote to memory of 812	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	104
PID 964 wrote to memory of 4668	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	105
PID 964 wrote to memory of 4668	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	105
PID 964 wrote to memory of 3472	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	106
PID 964 wrote to memory of 3472	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	106
PID 4272 wrote to memory of 1452	4272	tmpA480.tmp.exe	116
PID 4272 wrote to memory of 1452	4272	tmpA480.tmp.exe	116
PID 4272 wrote to memory of 1452	4272	tmpA480.tmp.exe	116
PID 4272 wrote to memory of 1452	4272	tmpA480.tmp.exe	116
PID 4272 wrote to memory of 1452	4272	tmpA480.tmp.exe	116
PID 4272 wrote to memory of 1452	4272	tmpA480.tmp.exe	116
PID 4272 wrote to memory of 1452	4272	tmpA480.tmp.exe	116
PID 964 wrote to memory of 2404	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	117
PID 964 wrote to memory of 2404	964	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe	117
PID 2404 wrote to memory of 808	2404	backgroundTaskHost.exe	123
PID 2404 wrote to memory of 808	2404	backgroundTaskHost.exe	123
PID 2404 wrote to memory of 3552	2404	backgroundTaskHost.exe	124
PID 2404 wrote to memory of 3552	2404	backgroundTaskHost.exe	124
PID 2404 wrote to memory of 4572	2404	backgroundTaskHost.exe	125
PID 2404 wrote to memory of 4572	2404	backgroundTaskHost.exe	125
PID 2404 wrote to memory of 4572	2404	backgroundTaskHost.exe	125
PID 4572 wrote to memory of 4664	4572	tmpB6DC.tmp.exe	127
PID 4572 wrote to memory of 4664	4572	tmpB6DC.tmp.exe	127
PID 4572 wrote to memory of 4664	4572	tmpB6DC.tmp.exe	127
PID 4572 wrote to memory of 4664	4572	tmpB6DC.tmp.exe	127
PID 4572 wrote to memory of 4664	4572	tmpB6DC.tmp.exe	127
PID 4572 wrote to memory of 4664	4572	tmpB6DC.tmp.exe	127
PID 4572 wrote to memory of 4664	4572	tmpB6DC.tmp.exe	127
PID 808 wrote to memory of 3548	808	WScript.exe	133
PID 808 wrote to memory of 3548	808	WScript.exe	133
PID 3548 wrote to memory of 3824	3548	backgroundTaskHost.exe	139
PID 3548 wrote to memory of 3824	3548	backgroundTaskHost.exe	139
PID 3548 wrote to memory of 3540	3548	backgroundTaskHost.exe	140
PID 3548 wrote to memory of 3540	3548	backgroundTaskHost.exe	140
PID 3548 wrote to memory of 1444	3548	backgroundTaskHost.exe	142
PID 3548 wrote to memory of 1444	3548	backgroundTaskHost.exe	142
PID 3548 wrote to memory of 1444	3548	backgroundTaskHost.exe	142
PID 1444 wrote to memory of 2388	1444	tmpD801.tmp.exe	144
PID 1444 wrote to memory of 2388	1444	tmpD801.tmp.exe	144
PID 1444 wrote to memory of 2388	1444	tmpD801.tmp.exe	144
PID 1444 wrote to memory of 2388	1444	tmpD801.tmp.exe	144
PID 1444 wrote to memory of 2388	1444	tmpD801.tmp.exe	144
PID 1444 wrote to memory of 2388	1444	tmpD801.tmp.exe	144
PID 1444 wrote to memory of 2388	1444	tmpD801.tmp.exe	144

System policy modification 1 TTPs 57 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe
"C:\Users\Admin\AppData\Local\Temp\456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:964
- C:\Users\Admin\AppData\Local\Temp\tmpA480.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA480.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\tmpA480.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpA480.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3472
- C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
  "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2404
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f507fccc-b2c7-4634-bc03-dbbc54a183ea.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
      "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3548
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf621d3b-db31-400a-9665-949d7a8a6a38.vbs"
        5⤵
        
        PID:3824
      - C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a61dcc8-e73f-41d0-983f-11e23bea0490.vbs"
        7⤵
        
        PID:4680
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\117de575-313c-4941-9404-9690ed5bb927.vbs"
        9⤵
        
        PID:1512
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f61b08a4-89f8-4d87-bd34-1c83054587aa.vbs"
        11⤵
        
        PID:384
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\022f88a1-9f12-4952-8d8a-9422a1b93c48.vbs"
        13⤵
        
        PID:3312
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b91e5509-4160-4ba4-acf8-60c482178367.vbs"
        15⤵
        
        PID:3624
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfca1339-b2d7-4d54-889c-c951ba5ea87f.vbs"
        17⤵
        
        PID:3192
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4d27f56-3475-4512-ad3a-694972111d12.vbs"
        19⤵
        
        PID:4180
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2be33785-dd5a-4aaa-b84e-2c8fa5afe7db.vbs"
        21⤵
        
        PID:4468
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07c0677b-9985-4e08-ba0d-b1e30c872098.vbs"
        23⤵
        
        PID:2680
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a8416db-a32d-4e86-8c02-6013a0d5cf46.vbs"
        25⤵
        
        PID:2024
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a4ac3bf-d3a6-4f02-baa2-bd29ae8b2469.vbs"
        27⤵
        
        PID:4528
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc0725f4-fd39-4d08-b836-a65b47efa2fc.vbs"
        29⤵
        
        PID:1140
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\147b172e-466a-4d1d-bd3e-1d9f9cc7d224.vbs"
        31⤵
        
        PID:2868
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        32⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc775009-ff70-4ce3-bb3e-0e2476a92102.vbs"
        33⤵
        
        PID:4688
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        34⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae770f35-6f58-43a2-8181-f74ff5b1cc0a.vbs"
        35⤵
        
        PID:1124
        
        C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe"
        36⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73cab6ef-b0dc-4276-bc83-f06e6ec9bc3d.vbs"
        37⤵
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f4cc95a-34bf-427d-afb8-80529f846da3.vbs"
        37⤵
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abf4de06-83b5-41b7-9cd2-ea369311fd23.vbs"
        35⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmpC49E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC49E.tmp.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\tmpC49E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC49E.tmp.exe"
        36⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3756efa3-a064-4808-9049-0dc4dfab3400.vbs"
        33⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmpA6E5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA6E5.tmp.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmpA6E5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA6E5.tmp.exe"
        34⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53c65aed-245e-4a48-ae31-300ba2dccc47.vbs"
        31⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8A54.tmp.exe"
        33⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84613868-7aa8-4bee-915f-1bd8ab6a8d8c.vbs"
        29⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D18.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D18.tmp.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D18.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D18.tmp.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D18.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D18.tmp.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D18.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D18.tmp.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D18.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D18.tmp.exe"
        33⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b8b10b5-2153-4b55-bfef-6a794ab2e521.vbs"
        27⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\tmp5087.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5087.tmp.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp5087.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5087.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80e29de0-5aad-4d62-b01c-20bea66dca52.vbs"
        25⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp3483.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3483.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmp3483.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3483.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14b71090-bfab-4d83-b08b-76d2f470938a.vbs"
        23⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp189F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp189F.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp189F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp189F.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f2e9873-d280-403c-aa4d-a601d851f636.vbs"
        21⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmpFCBA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFCBA.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmpFCBA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFCBA.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a410ca35-dc13-4914-a792-5c86c1b362dc.vbs"
        19⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmpCC25.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCC25.tmp.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmpCC25.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCC25.tmp.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmpCC25.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCC25.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmpCC25.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCC25.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab0ee315-fa32-4c2a-af98-c158ee1f1df8.vbs"
        17⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmpAEC9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAEC9.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\tmpAEC9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAEC9.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb2e6716-adf0-4935-b590-c1185fe7ee13.vbs"
        15⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp919C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp919C.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp919C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp919C.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ac1e8ea-5d8e-4125-ab0c-a9e9b86fd707.vbs"
        13⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp73D3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp73D3.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp73D3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp73D3.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b978a7b-dee1-4ba3-80a9-5abe7e6c44ef.vbs"
        11⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp4198.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4198.tmp.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp4198.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4198.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp4198.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4198.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\456aa7d5-0624-4463-b7a5-df1d5d9e8184.vbs"
        9⤵
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad57ce00-4ef7-4d92-876f-d10025d8c9b1.vbs"
        7⤵
        
        PID:2824
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da6eebdc-e808-4662-a863-9f26dc3c3c31.vbs"
        5⤵
        
        PID:3540
    - - C:\Users\Admin\AppData\Local\Temp\tmpD801.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD801.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Users\Admin\AppData\Local\Temp\tmpD801.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD801.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:2388
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b6cbe7d-adb0-4def-8e04-df1e18f15abd.vbs"
    3⤵
    PID:3552
- - C:\Users\Admin\AppData\Local\Temp\tmpB6DC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpB6DC.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\tmpB6DC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB6DC.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\backgroundTaskHost.exe

Filesize
4.9MB

MD5
bc6d8c1824fbce3832a86042be6ce8ec

SHA1
5c750a20d9ddeb5be64ba89d220a8657adbce18b

SHA256
456d1b550633ca213dad95d30642164a98ba2b7ace5689daa7c0dab25a928a30

SHA512
abdc44b1d6694dea890128229b6bab2dbddd8bbf34d4413afefa84147f91b8dc855b6797d41505842fc181fa09b08cb79abaa720c23ceb1f06dd36a3e7676292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\022f88a1-9f12-4952-8d8a-9422a1b93c48.vbs

Filesize
746B

MD5
b602936d0b0a7770da6f195322f8fc30

SHA1
b503b63cb9ef1c1b92a42dfd565cc27d31718d2e

SHA256
4c75e9352a803eef50431a76f8b85c6eeed355d1d050f7fc79e5c46a52a8ad72

SHA512
d95533b8be0a1126e531dcfabcb62283fbc6f49aa7aaea2f821828f748dac25d53db0e20a7780f641669927906583aac932b7ed4c0ceca798b7bef5fb223e637

Download Submit
C:\Users\Admin\AppData\Local\Temp\117de575-313c-4941-9404-9690ed5bb927.vbs

Filesize
746B

MD5
b858c3f28b6f2b3618e53083b53a30fc

SHA1
db2fbaf7422c3329f7399a2fd73af44b87f59ee7

SHA256
84ec00d435edbb60fd94f3450a4de2dc1cbad8c89902cd8d88dcc4c3d6e0412f

SHA512
333c843afbd9d9bcb19a63e4b585d6c948e5f00dccf4f9d8c175fcab0798a711515cd775282d397aa06ce273429ebb7aab0f63cc2ebce3eded51390d6b01148d

Download Submit
C:\Users\Admin\AppData\Local\Temp\147b172e-466a-4d1d-bd3e-1d9f9cc7d224.vbs

Filesize
746B

MD5
9b7180aeab0e0f99fbb624502586fa1b

SHA1
88e088c3df20b0797b4488dbacd5fda51f2883d9

SHA256
03dcf48545a05e1fd415e67da02fc9db6c21a67d89eeb18ecc987e22e040c82a

SHA512
929c407e69bc5e8d68f0d88768d7baab2451ab9b56d14e888d20a5352161e88f1f95417210af9c87cb51bbc5c335c72a9c145c0c4ad355e2caac935c2d6c7b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a61dcc8-e73f-41d0-983f-11e23bea0490.vbs

Filesize
746B

MD5
26ea318f433a7bc0dea8aabe963820b7

SHA1
e574afe837b3dbdc367b66f4e7f3bfce5a9381d4

SHA256
38c385acc2da304478e86386f466a2dd19ae0af547ff2b6111c30c0e9a999be4

SHA512
0f22a88f687d4be6091f491721cff33e9e8b309ee5316964d02c96390c991afd8de796aa48eba1b80e913efb02e6aa28f24c5279e22585bcae59bb6d1cf41bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b6cbe7d-adb0-4def-8e04-df1e18f15abd.vbs

Filesize
522B

MD5
931914d5c71fc9d4fddf8bb429b61cdb

SHA1
f9e4f07745c8706fab98c6a2cf6a138bcf1826f6

SHA256
4575c57b4101fa4ac69625176c4f468669c90cd29df9091e53a2590864c99711

SHA512
c8ee5f0bd4259dd019e23ed2f2fb99ce7a17972901e384b981aaf65fd9ffa39b7f833af01f27f0dd60aa916645c635610d30d18abbed1145a192ed4f6081124f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdesvdog.25c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b91e5509-4160-4ba4-acf8-60c482178367.vbs

Filesize
746B

MD5
003d56756029b0d3ee238d2f3d320bc4

SHA1
1744a871c553ebd3ceba010c02b40adf5cc8aa5a

SHA256
cc073e4810129cedf20e021c90953124100356c2372f3d0ac10591c7d230d85d

SHA512
5b64091e7332cdd96b9cfeea7a544b12333762410012702c219acae8e0afd11e0a52a4416ddfffb5cba709bd69061c4746ad0da92bd7a94405eba9f242c32495

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf621d3b-db31-400a-9665-949d7a8a6a38.vbs

Filesize
746B

MD5
bb5aa128559a6b996995632f2ceb76ba

SHA1
d0423a9f74afcd9c60795bfd708e85e5adc934d2

SHA256
aa582a4776408476249987dd7d749dac2488fe89739b74d0646667f902267dec

SHA512
1662a3cc386ecf226af32d33cfde0a757bd8cd5f1fac9497865b58032b802cdbcdfbb001fbcdfd918fd0329df3f9d609364d73e2d4f171513b95bc45711b3547

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfca1339-b2d7-4d54-889c-c951ba5ea87f.vbs

Filesize
746B

MD5
ba3b83edca9e9c49b21c158ca8bb6c57

SHA1
ad0130bd9892dfd7f014dafa5054193cf83ba0d9

SHA256
b2315ee1d3b56c3d29a64e4d2bea39aec1058920a193f047e401d083508b8746

SHA512
e4c37cb17a54c31966d095bc64c4f471690bf4e656fc98f12840d6896a8b30bcdd30e9fadcbaadf53ec7ebdb16abd36aa7c58f8c61066c3ef5e99137dbb9fd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\f507fccc-b2c7-4634-bc03-dbbc54a183ea.vbs

Filesize
746B

MD5
7f0e72d9a05777f1b484a02336e966a3

SHA1
256af537cea2b7b8233bce7bde33d3234f19f1da

SHA256
12be89e29b83782887aa693d8ad8d828f50ded82f07d7b65dc03ddcd6352f049

SHA512
4142177fe7dfba9a8724eff9d590512809906630ea0eaf93bed800c1405b457cb9e02dd0098b923de29d37549daabbfef027175160f7599c3d375d8475e935cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\f61b08a4-89f8-4d87-bd34-1c83054587aa.vbs

Filesize
746B

MD5
edf9e1909c1e6bfaa7ae17c5109ad783

SHA1
0ad5d8a3ac9bb1461a60163ba8c055edb263bb9f

SHA256
b18c4bc73d135e56cb4ce05c2e54ca9ad33df75d776459edad5ba3cbc58399c9

SHA512
85a8b15927243b4caa656ec63ffa91c0151f05675906823c5ed7025c85fe614343e670754c9e94a2b096fd927c7867405f6779931af76d0c8792d87f3f23e687

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA480.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/964-11-0x0000000003670000-0x0000000003682000-memory.dmp

Filesize
72KB

Download
memory/964-6-0x0000000003600000-0x0000000003608000-memory.dmp

Filesize
32KB

Download
memory/964-1-0x0000000000FB0000-0x00000000014A4000-memory.dmp

Filesize
5.0MB

Download
memory/964-2-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/964-17-0x000000001C1F0000-0x000000001C1F8000-memory.dmp

Filesize
32KB

Download
memory/964-211-0x00007FF8BE390000-0x00007FF8BEE51000-memory.dmp

Filesize
10.8MB

Download
memory/964-18-0x000000001C200000-0x000000001C20C000-memory.dmp

Filesize
48KB

Download
memory/964-12-0x000000001D0B0000-0x000000001D5D8000-memory.dmp

Filesize
5.2MB

Download
memory/964-13-0x0000000003680000-0x000000000368A000-memory.dmp

Filesize
40KB

Download
memory/964-14-0x0000000003690000-0x000000000369E000-memory.dmp

Filesize
56KB

Download
memory/964-15-0x00000000036A0000-0x00000000036AE000-memory.dmp

Filesize
56KB

Download
memory/964-0-0x00007FF8BE393000-0x00007FF8BE395000-memory.dmp

Filesize
8KB

Download
memory/964-10-0x0000000003660000-0x000000000366A000-memory.dmp

Filesize
40KB

Download
memory/964-16-0x00000000036B0000-0x00000000036B8000-memory.dmp

Filesize
32KB

Download
memory/964-8-0x0000000003640000-0x0000000003656000-memory.dmp

Filesize
88KB

Download
memory/964-9-0x0000000003620000-0x0000000003630000-memory.dmp

Filesize
64KB

Download
memory/964-7-0x0000000003610000-0x0000000003620000-memory.dmp

Filesize
64KB

Download
memory/964-5-0x000000001C1A0000-0x000000001C1F0000-memory.dmp

Filesize
320KB

Download
memory/964-3-0x000000001C450000-0x000000001C57E000-memory.dmp

Filesize
1.2MB

Download
memory/964-4-0x00000000035E0000-0x00000000035FC000-memory.dmp

Filesize
112KB

Download
memory/1452-98-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2916-523-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/3600-100-0x0000014C2CEE0000-0x0000014C2CF02000-memory.dmp

Filesize
136KB

Download
memory/3944-449-0x0000000001300000-0x0000000001312000-memory.dmp

Filesize
72KB

Download
memory/3944-504-0x0000000003480000-0x0000000003492000-memory.dmp

Filesize
72KB

Download
memory/4804-330-0x000000001BBB0000-0x000000001BBC2000-memory.dmp

Filesize
72KB

Download