colibri | 75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673e

Analysis

max time kernel
118s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Size

4.9MB
MD5

0f5cabfbc1180b73d7fadd9de190d3d0
SHA1

5a617e52ac7842c5a32c4caae9c0c1f1ea725a9d
SHA256

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673e
SHA512

79bea9ea2a3659ab6a2d11c9aef9aaa235ee413de1f246b0c6cac6ca00c827a04c9309801dc2e1d9264bd932ccef458f136598173678d6409ee8cbbcecc8df9b
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4512	schtasks.exe
		4076	schtasks.exe
		2792	schtasks.exe
		964	schtasks.exe
File created	C:\Windows\Tasks\56085415360792		75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\AppReadiness\5b884080fd4f94		75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
		2772	schtasks.exe
File created	C:\Program Files\7-Zip\Lang\ea1d8f6d871115		75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
		316	schtasks.exe
		3888	schtasks.exe
		4452	schtasks.exe
		884	schtasks.exe
		4164	schtasks.exe
		3076	schtasks.exe
		4672	schtasks.exe
		1108	schtasks.exe
		1680	schtasks.exe
		3704	schtasks.exe
		900	schtasks.exe
		4600	schtasks.exe
		2540	schtasks.exe
		3292	schtasks.exe
		4080	schtasks.exe
		1668	schtasks.exe
		3536	schtasks.exe
		4940	schtasks.exe
		3980	schtasks.exe
		2656	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\56085415360792		75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
		1492	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
		4456	schtasks.exe
		2732	schtasks.exe
		3476	schtasks.exe
		4020	schtasks.exe
		4356	schtasks.exe
		400	schtasks.exe
		3872	schtasks.exe
		3460	schtasks.exe
		4144	schtasks.exe
		3644	schtasks.exe
		1000	schtasks.exe
		3196	schtasks.exe
		3848	schtasks.exe
		3640	schtasks.exe
		3972	schtasks.exe
		2840	schtasks.exe
		3224	schtasks.exe
		3836	schtasks.exe
		2936	schtasks.exe
		2924	schtasks.exe
		4248	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\5b884080fd4f94		75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
		4684	schtasks.exe
		3852	schtasks.exe
		1572	schtasks.exe
		4856	schtasks.exe
		4784	schtasks.exe
		1396	schtasks.exe
		1816	schtasks.exe
File created	C:\Program Files\Windows Defender\en-US\cc11b995f2a76d		75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
		4848	schtasks.exe
		3660	schtasks.exe
		3592	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2604	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2604	schtasks.exe	83

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1320-3-0x000000001B4D0000-0x000000001B5FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3932	powershell.exe
2244	powershell.exe
4936	powershell.exe
4568	powershell.exe
3064	powershell.exe
1180	powershell.exe
1996	powershell.exe
4960	powershell.exe
4808	powershell.exe
2544	powershell.exe
4332	powershell.exe
4736	powershell.exe
1652	powershell.exe
440	powershell.exe
4332	powershell.exe
4816	powershell.exe
2468	powershell.exe
4100	powershell.exe
400	powershell.exe
468	powershell.exe
1116	powershell.exe
4336	powershell.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 32 IoCs

pid	Process
3612	tmp91B4.tmp.exe
1992	tmp91B4.tmp.exe
2920	tmp91B4.tmp.exe
1496	tmp91B4.tmp.exe
3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
3420	tmpBB51.tmp.exe
4584	tmpBB51.tmp.exe
980	conhost.exe
4784	conhost.exe
1524	tmp170D.tmp.exe
1488	tmp170D.tmp.exe
1988	tmp170D.tmp.exe
852	tmp170D.tmp.exe
2304	conhost.exe
1144	tmp46F7.tmp.exe
2140	tmp46F7.tmp.exe
4380	conhost.exe
1876	tmp62EB.tmp.exe
3740	tmp62EB.tmp.exe
2540	conhost.exe
2776	tmp9371.tmp.exe
4572	tmp9371.tmp.exe
2784	conhost.exe
768	tmpC35B.tmp.exe
3832	tmpC35B.tmp.exe
5004	conhost.exe
632	tmp93D.tmp.exe
644	tmp93D.tmp.exe
2608	tmp93D.tmp.exe
1500	conhost.exe
3212	tmp39A4.tmp.exe
4668	tmp39A4.tmp.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 1496	2920	tmp91B4.tmp.exe	125
PID 3420 set thread context of 4584	3420	tmpBB51.tmp.exe	200
PID 1988 set thread context of 852	1988	tmp170D.tmp.exe	254
PID 1144 set thread context of 2140	1144	tmp46F7.tmp.exe	263
PID 1876 set thread context of 3740	1876	tmp62EB.tmp.exe	272
PID 2776 set thread context of 4572	2776	tmp9371.tmp.exe	282
PID 768 set thread context of 3832	768	tmpC35B.tmp.exe	291
PID 644 set thread context of 2608	644	tmp93D.tmp.exe	302
PID 3212 set thread context of 4668	3212	tmp39A4.tmp.exe	311

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\e978f868350d50	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\powershell.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\wininit.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Microsoft\Edge\56085415360792	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Crashpad\reports\spoolsv.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX9EAA.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXA2C3.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Crashpad\9e8d7a4ca61bd9	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Crashpad\RuntimeBroker.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\7-Zip\Lang\upfc.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCX9C29.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXA554.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Windows Media Player\en-US\conhost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\wininit.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\5b884080fd4f94	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Windows Defender\en-US\winlogon.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Microsoft\Edge\wininit.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\wininit.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\RCXA0AF.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Windows Multimedia Platform\d8cd31df7dcff3	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Windows Media Player\en-US\088424020bedd6	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Java\jre-1.8\56085415360792	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\56085415360792	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\upfc.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Crashpad\RuntimeBroker.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Crashpad\reports\spoolsv.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Crashpad\reports\f3b6ecef712a24	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\winlogon.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Windows Multimedia Platform\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\conhost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Windows Defender\en-US\cc11b995f2a76d	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\7-Zip\Lang\ea1d8f6d871115	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX9793.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\powershell.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Java\jre-1.8\wininit.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\wininit.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Provisioning\Autopilot\powershell.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\Tasks\wininit.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\AppReadiness\fontdrvhost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\AppReadiness\RCX92ED.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\Tasks\56085415360792	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\AppReadiness\5b884080fd4f94	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\AppReadiness\fontdrvhost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\Tasks\RCX90D8.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\22eafd247d37c3	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\Provisioning\Autopilot\powershell.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\Provisioning\Autopilot\e978f868350d50	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\Tasks\wininit.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\Globalization\ELS\HyphenationDictionaries\StartMenuExperienceHost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp91B4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBB51.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp170D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp46F7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9371.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp91B4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp91B4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp93D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp170D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC35B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp170D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp62EB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp93D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp39A4.tmp.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3644	schtasks.exe
3460	schtasks.exe
3872	schtasks.exe
3848	schtasks.exe
3076	schtasks.exe
3100	schtasks.exe
4696	schtasks.exe
2656	schtasks.exe
1184	schtasks.exe
3660	schtasks.exe
1108	schtasks.exe
3292	schtasks.exe
3972	schtasks.exe
1000	schtasks.exe
4856	schtasks.exe
964	schtasks.exe
3184	schtasks.exe
3980	schtasks.exe
2840	schtasks.exe
3576	schtasks.exe
3536	schtasks.exe
4164	schtasks.exe
936	schtasks.exe
2732	schtasks.exe
4784	schtasks.exe
316	schtasks.exe
4248	schtasks.exe
1816	schtasks.exe
1808	schtasks.exe
4456	schtasks.exe
1668	schtasks.exe
4448	schtasks.exe
1588	schtasks.exe
4516	schtasks.exe
2944	schtasks.exe
1396	schtasks.exe
4080	schtasks.exe
4684	schtasks.exe
2772	schtasks.exe
4672	schtasks.exe
2540	schtasks.exe
3852	schtasks.exe
2924	schtasks.exe
3532	schtasks.exe
900	schtasks.exe
4512	schtasks.exe
4452	schtasks.exe
4076	schtasks.exe
2256	schtasks.exe
212	schtasks.exe
1028	schtasks.exe
3296	schtasks.exe
2500	schtasks.exe
2844	schtasks.exe
3888	schtasks.exe
400	schtasks.exe
3704	schtasks.exe
1144	schtasks.exe
368	schtasks.exe
3936	schtasks.exe
1000	schtasks.exe
4020	schtasks.exe
4940	schtasks.exe
3708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
468	powershell.exe
2468	powershell.exe
2468	powershell.exe
4936	powershell.exe
4936	powershell.exe
440	powershell.exe
440	powershell.exe
3932	powershell.exe
3932	powershell.exe
4816	powershell.exe
4816	powershell.exe
2244	powershell.exe
2244	powershell.exe
4960	powershell.exe
4960	powershell.exe
1996	powershell.exe
1996	powershell.exe
4332	powershell.exe
4332	powershell.exe
440	powershell.exe
1180	powershell.exe
1180	powershell.exe
468	powershell.exe
468	powershell.exe
4936	powershell.exe
2244	powershell.exe
2468	powershell.exe
3932	powershell.exe
4816	powershell.exe
4332	powershell.exe
1996	powershell.exe
4960	powershell.exe
1180	powershell.exe
3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	980	conhost.exe
Token: SeDebugPrivilege	4784	conhost.exe
Token: SeDebugPrivilege	2304	conhost.exe
Token: SeDebugPrivilege	4380	conhost.exe
Token: SeDebugPrivilege	2540	conhost.exe
Token: SeDebugPrivilege	2784	conhost.exe
Token: SeDebugPrivilege	5004	conhost.exe
Token: SeDebugPrivilege	1500	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 3612	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	120
PID 1320 wrote to memory of 3612	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	120
PID 1320 wrote to memory of 3612	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	120
PID 3612 wrote to memory of 1992	3612	tmp91B4.tmp.exe	123
PID 3612 wrote to memory of 1992	3612	tmp91B4.tmp.exe	123
PID 3612 wrote to memory of 1992	3612	tmp91B4.tmp.exe	123
PID 1992 wrote to memory of 2920	1992	tmp91B4.tmp.exe	124
PID 1992 wrote to memory of 2920	1992	tmp91B4.tmp.exe	124
PID 1992 wrote to memory of 2920	1992	tmp91B4.tmp.exe	124
PID 2920 wrote to memory of 1496	2920	tmp91B4.tmp.exe	125
PID 2920 wrote to memory of 1496	2920	tmp91B4.tmp.exe	125
PID 2920 wrote to memory of 1496	2920	tmp91B4.tmp.exe	125
PID 2920 wrote to memory of 1496	2920	tmp91B4.tmp.exe	125
PID 2920 wrote to memory of 1496	2920	tmp91B4.tmp.exe	125
PID 2920 wrote to memory of 1496	2920	tmp91B4.tmp.exe	125
PID 2920 wrote to memory of 1496	2920	tmp91B4.tmp.exe	125
PID 1320 wrote to memory of 1180	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	127
PID 1320 wrote to memory of 1180	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	127
PID 1320 wrote to memory of 4816	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	128
PID 1320 wrote to memory of 4816	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	128
PID 1320 wrote to memory of 4936	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	129
PID 1320 wrote to memory of 4936	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	129
PID 1320 wrote to memory of 1996	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	130
PID 1320 wrote to memory of 1996	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	130
PID 1320 wrote to memory of 2244	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	131
PID 1320 wrote to memory of 2244	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	131
PID 1320 wrote to memory of 4332	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	132
PID 1320 wrote to memory of 4332	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	132
PID 1320 wrote to memory of 440	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	134
PID 1320 wrote to memory of 440	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	134
PID 1320 wrote to memory of 2468	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	135
PID 1320 wrote to memory of 2468	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	135
PID 1320 wrote to memory of 3932	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	137
PID 1320 wrote to memory of 3932	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	137
PID 1320 wrote to memory of 468	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	138
PID 1320 wrote to memory of 468	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	138
PID 1320 wrote to memory of 4960	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	139
PID 1320 wrote to memory of 4960	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	139
PID 1320 wrote to memory of 3800	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	149
PID 1320 wrote to memory of 3800	1320	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	149
PID 3800 wrote to memory of 3420	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	198
PID 3800 wrote to memory of 3420	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	198
PID 3800 wrote to memory of 3420	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	198
PID 3420 wrote to memory of 4584	3420	tmpBB51.tmp.exe	200
PID 3420 wrote to memory of 4584	3420	tmpBB51.tmp.exe	200
PID 3420 wrote to memory of 4584	3420	tmpBB51.tmp.exe	200
PID 3420 wrote to memory of 4584	3420	tmpBB51.tmp.exe	200
PID 3420 wrote to memory of 4584	3420	tmpBB51.tmp.exe	200
PID 3420 wrote to memory of 4584	3420	tmpBB51.tmp.exe	200
PID 3420 wrote to memory of 4584	3420	tmpBB51.tmp.exe	200
PID 3800 wrote to memory of 4568	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	209
PID 3800 wrote to memory of 4568	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	209
PID 3800 wrote to memory of 3064	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	210
PID 3800 wrote to memory of 3064	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	210
PID 3800 wrote to memory of 1116	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	211
PID 3800 wrote to memory of 1116	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	211
PID 3800 wrote to memory of 4808	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	212
PID 3800 wrote to memory of 4808	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	212
PID 3800 wrote to memory of 4336	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	213
PID 3800 wrote to memory of 4336	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	213
PID 3800 wrote to memory of 4736	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	214
PID 3800 wrote to memory of 4736	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	214
PID 3800 wrote to memory of 4100	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	215
PID 3800 wrote to memory of 4100	3800	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	215

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
"C:\Users\Admin\AppData\Local\Temp\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1320
- C:\Users\Admin\AppData\Local\Temp\tmp91B4.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp91B4.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\tmp91B4.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp91B4.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\tmp91B4.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp91B4.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Users\Admin\AppData\Local\Temp\tmp91B4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp91B4.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
  "C:\Users\Admin\AppData\Local\Temp\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\tmpBB51.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpBB51.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\tmpBB51.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBB51.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JigN4PJfPZ.bat"
    3⤵
    PID:5028
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:4468
  - - C:\Program Files\Windows Media Player\en-US\conhost.exe
      "C:\Program Files\Windows Media Player\en-US\conhost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:980
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\333a1659-6eb4-4924-9ef0-12b07c455df5.vbs"
        5⤵
        
        PID:1628
      - C:\Program Files\Windows Media Player\en-US\conhost.exe
        
        "C:\Program Files\Windows Media Player\en-US\conhost.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d81c3cf8-7444-4a79-8aff-7c129c3f9c6f.vbs"
        7⤵
        
        PID:2772
        
        C:\Program Files\Windows Media Player\en-US\conhost.exe
        
        "C:\Program Files\Windows Media Player\en-US\conhost.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6691595c-569f-4e5e-8301-3adec1865366.vbs"
        9⤵
        
        PID:1784
        
        C:\Program Files\Windows Media Player\en-US\conhost.exe
        
        "C:\Program Files\Windows Media Player\en-US\conhost.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1205c0c8-bacb-4c01-8461-30e710f93c91.vbs"
        11⤵
        
        PID:1108
        
        C:\Program Files\Windows Media Player\en-US\conhost.exe
        
        "C:\Program Files\Windows Media Player\en-US\conhost.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3315770-0309-47f3-9ce0-e91047fdcc09.vbs"
        13⤵
        
        PID:2912
        
        C:\Program Files\Windows Media Player\en-US\conhost.exe
        
        "C:\Program Files\Windows Media Player\en-US\conhost.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\101a5512-c45a-42d1-b075-3737bc8b6bb5.vbs"
        15⤵
        
        PID:3852
        
        C:\Program Files\Windows Media Player\en-US\conhost.exe
        
        "C:\Program Files\Windows Media Player\en-US\conhost.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d304cb9-a000-45c5-93bb-28082d2ec71a.vbs"
        17⤵
        
        PID:4844
        
        C:\Program Files\Windows Media Player\en-US\conhost.exe
        
        "C:\Program Files\Windows Media Player\en-US\conhost.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d627f83e-f704-43ea-beb5-d2a147509aed.vbs"
        19⤵
        
        PID:3508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91b04339-96a3-4c85-9914-964059b37cf2.vbs"
        19⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\tmp39A4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp39A4.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp39A4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp39A4.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a7555ee-079c-4e03-8b1a-55ee8714d810.vbs"
        17⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\tmp93D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp93D.tmp.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp93D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp93D.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmp93D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp93D.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fd350fc-13ce-468f-bb59-5a1f933818e7.vbs"
        15⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmpC35B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC35B.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmpC35B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC35B.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c732955-0322-4ac8-a4eb-58d4c924abf3.vbs"
        13⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp9371.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9371.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\tmp9371.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9371.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a72dba90-fc74-4566-828a-c5f8af6fbc6e.vbs"
        11⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp62EB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp62EB.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp62EB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp62EB.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73a0bc88-d7fb-4af0-8392-093624275e4e.vbs"
        9⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp46F7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp46F7.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp46F7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp46F7.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97f0e04b-a498-4969-bffb-2fad54b52ac4.vbs"
        7⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp170D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp170D.tmp.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp170D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp170D.tmp.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp170D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp170D.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp170D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp170D.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:852
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af32299c-406f-4f44-b9d8-2e31cd1101f3.vbs"
        5⤵
        
        PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\reports\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Crashpad\reports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN7" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN7" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\conhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- DcRat
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\conhost.exe'" /f
1⤵
- DcRat
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Autopilot\powershell.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Autopilot\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\Accessories\en-US\wininit.exe

Filesize
4.9MB

MD5
0f5cabfbc1180b73d7fadd9de190d3d0

SHA1
5a617e52ac7842c5a32c4caae9c0c1f1ea725a9d

SHA256
75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673e

SHA512
79bea9ea2a3659ab6a2d11c9aef9aaa235ee413de1f246b0c6cac6ca00c827a04c9309801dc2e1d9264bd932ccef458f136598173678d6409ee8cbbcecc8df9b

Download Submit
C:\Program Files\Crashpad\reports\spoolsv.exe

Filesize
4.9MB

MD5
5c4542a085536af5827efd2367c8a808

SHA1
02da0ab78a80bb44e5dfac71e493efdf69eab07f

SHA256
9fc4e0406e808bccd351ff6c0cc26ec6d530cfe6e98c6bbaf73d6c1818e0e2a1

SHA512
91fae4e03b072439e71cb9266756583da4d43f678ec4e8206b61f7cdc05b769bd62c6d8623a37cb87b48a521f4e47f8eb43139ce6f2db6723330cdef12a76abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
26403455115fbc3da2573a37cc28744a

SHA1
6a9bf407036a8b9d36313462c0257f53b4ee9170

SHA256
222a7adb94c5e82df6466a4afce283e905c69f7feb18b3e34583b5cbbd88b352

SHA512
be96d478e5d804b8daf805ad28d5eba644fb63a59a799273e029c8047a036f8aac74098efcadee0e4f405dcd1c0a689a1e8eb23f51a93634ed44f5a7c821beb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d659c5ce48627a98e5fdbe24f9dacb1e

SHA1
ac339ff21db111b50cd3829dcffa41eedfd86e49

SHA256
f2632bdb1347a600b0dc613b2a6ef3f7073294bbb11ff83bdea8bf07b6c92465

SHA512
a2d02f5af65c4c6b42452951265bd122264736517602b9cee377c2f7df097eb0104d6e4a8a50c6999ad7b0443c6d4a04314f5c762cbab2f12e827fb5e737522a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
815f9e54d2e55a6cd87a044f75fdba0c

SHA1
9e2c91b5d015a2f96539227ed0a5d83cf26f6c08

SHA256
ec7d07723ca9c032e3662c0a316318065854ed4dc54106a5214278cbd148e75f

SHA512
9198d94b9d3ef35693881e3dc3e1c7f4b42d98f23a27f58cec67309628504de6940f0ac58bff1de2923b9d1b2dd11be82ea98bad9419d2e22f610df01c7401a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9405862a3b15dc34824f6a0e5f077f4f

SHA1
bbe0000e06be94fa61d6e223fb38b1289908723d

SHA256
0a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210

SHA512
fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
672702f55e79800155f81b200ae32c11

SHA1
dfaaf4ad96e5d49d9f0cd36de2fe59cdda0e4a70

SHA256
69efe7d499bed2ebe41ecbf1d51fc326e191e0108bfc53f4f5700175e4588179

SHA512
b488290bf641d99120db2521489322b1e5552ba4868c732c6949105e5eef0902711ef896af4641075f6b66b4dcabc7bf8942ecf1d077e21b4cf005df73522368

Download Submit
C:\Users\Admin\AppData\Local\Temp\1205c0c8-bacb-4c01-8461-30e710f93c91.vbs

Filesize
731B

MD5
99e65f5345fd1bb208c171ea6c2c34f6

SHA1
470acd0210241fc4e736c18e98dbb1d0fd45019c

SHA256
066587e08e9426d85d2e628cb3d222b034c8aaa4dcaaa5d1f1d3fe6c8e1d5df7

SHA512
825dc72619a1a6bb95100dde186cf614dadcf72465bd6fb34741c500d1b9c08fda42e1616d0a494257adb624c964b709933a1abf42285c7c29d704b516a10966

Download Submit
C:\Users\Admin\AppData\Local\Temp\333a1659-6eb4-4924-9ef0-12b07c455df5.vbs

Filesize
730B

MD5
da5296ba29a54a8786cf80ab175157e5

SHA1
db9f72c26e8ce2da2e9aed5e7a899b30908ce065

SHA256
a8f3b9d7766f0ebdb67f2b80150f2f6c557c67a0bdb97c8a1c1c292c739da410

SHA512
adebfe53d20799d4056636195c11a9055f7b744bbe8095c8de58563b28914e0296b1de3d620c0eac38746c01f1c42341a89c94ed74244aaf3420d426a7a5bf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\6691595c-569f-4e5e-8301-3adec1865366.vbs

Filesize
731B

MD5
3314dcbf6f26ede4bef2a0da67c89043

SHA1
f3366f8659d5f87493e17735dee32924bf5cb00a

SHA256
789bf64fed79e0d6bc702a4b58619601517a88017271a443e6da42119c89e7ba

SHA512
70275917d27212b6c75d1a5ac8b5f7530de151596d5205c395ffc528b26477f3d9f5b04c05321d3431b81a202698f789ff152b35943c16798a7774950c88ecc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JigN4PJfPZ.bat

Filesize
220B

MD5
3e8337230a528ef7ac5c5aaf5f89eda7

SHA1
098a59425e776333ec217eb6136b21190ee1d8ce

SHA256
5787b8549b50e5aac5064a34db9d554893815b65ced0888e1462a97314a99f77

SHA512
da2e59301e4421bde70616450c3ab09a3f587369753f6a6871303d954a8b753dcb836ff53e76f133c4b2843e76a1618d13c3f490031ff6fcce9e1e3c6037e9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eoaviia4.juo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\af32299c-406f-4f44-b9d8-2e31cd1101f3.vbs

Filesize
507B

MD5
3648a12be9332a0a59b27dfdceb67443

SHA1
a04c3d521faf828dfc555ba6b03741eb5b3e5e0b

SHA256
c748cdaefd2b7341457089e8c1ef293d36e134de0840e593ebe4d057f72b1514

SHA512
1b39bb27f18b0e80afdafc703c710689e10c64ff866ef77942d8f569a72093a069b8b6be27bbfa83163cc4a03ef22c7d0ab672c321c77a5c54fbe3f573b57795

Download Submit
C:\Users\Admin\AppData\Local\Temp\d81c3cf8-7444-4a79-8aff-7c129c3f9c6f.vbs

Filesize
731B

MD5
b05f6cbbe98447aa06884d1e5e0df455

SHA1
291daf4426a58ff0d10dcebde4f702f6278a0801

SHA256
1d16cacdbc5026ac2dc91dcf491839207967b8a6d7a1577361a3e395403e0560

SHA512
19a74aa16498bb67cc287ed9691f7cfbb4c85bf29ee254e4c10561d6ad1f9e32b9f2e497efc2e06ff00cbaaa6789ec0773b7cddd6332e59a24080925e7011757

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3315770-0309-47f3-9ce0-e91047fdcc09.vbs

Filesize
731B

MD5
dae2abd72e256d42a4e04dc72c4435cf

SHA1
df105e8244625d678bca16a7466ca159b93d7493

SHA256
860423f0454610b0098034f117f3488524ec4c6a5e7eba4dbe5ca1692cddc544

SHA512
b9c345a0d8e7c50901d20137a54fb75e37b8341ccc3b65250088f1fc7cf216ca478ccaedd519fe3449db2fb4f54283e8fac8465e6e012e1101fb58486da45007

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91B4.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/440-253-0x0000014E7A4C0000-0x0000014E7A62A000-memory.dmp

Filesize
1.4MB

Download
memory/468-260-0x0000020DD7F20000-0x0000020DD808A000-memory.dmp

Filesize
1.4MB

Download
memory/468-149-0x0000020DD7C90000-0x0000020DD7CB2000-memory.dmp

Filesize
136KB

Download
memory/1180-278-0x00000170AEA90000-0x00000170AEBFA000-memory.dmp

Filesize
1.4MB

Download
memory/1320-6-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/1320-1-0x0000000000120000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/1320-248-0x00007FFE39140000-0x00007FFE39C01000-memory.dmp

Filesize
10.8MB

Download
memory/1320-14-0x000000001B440000-0x000000001B44E000-memory.dmp

Filesize
56KB

Download
memory/1320-0-0x00007FFE39143000-0x00007FFE39145000-memory.dmp

Filesize
8KB

Download
memory/1320-2-0x00007FFE39140000-0x00007FFE39C01000-memory.dmp

Filesize
10.8MB

Download
memory/1320-17-0x000000001B470000-0x000000001B478000-memory.dmp

Filesize
32KB

Download
memory/1320-3-0x000000001B4D0000-0x000000001B5FE000-memory.dmp

Filesize
1.2MB

Download
memory/1320-18-0x000000001B480000-0x000000001B48C000-memory.dmp

Filesize
48KB

Download
memory/1320-15-0x000000001B450000-0x000000001B45E000-memory.dmp

Filesize
56KB

Download
memory/1320-12-0x000000001C130000-0x000000001C658000-memory.dmp

Filesize
5.2MB

Download
memory/1320-142-0x00007FFE39143000-0x00007FFE39145000-memory.dmp

Filesize
8KB

Download
memory/1320-4-0x00000000026C0000-0x00000000026DC000-memory.dmp

Filesize
112KB

Download
memory/1320-5-0x000000001B3F0000-0x000000001B440000-memory.dmp

Filesize
320KB

Download
memory/1320-7-0x000000001B370000-0x000000001B380000-memory.dmp

Filesize
64KB

Download
memory/1320-11-0x000000001B3C0000-0x000000001B3D2000-memory.dmp

Filesize
72KB

Download
memory/1320-235-0x00007FFE39140000-0x00007FFE39C01000-memory.dmp

Filesize
10.8MB

Download
memory/1320-13-0x000000001B3D0000-0x000000001B3DA000-memory.dmp

Filesize
40KB

Download
memory/1320-10-0x000000001B3B0000-0x000000001B3BA000-memory.dmp

Filesize
40KB

Download
memory/1320-9-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

Filesize
64KB

Download
memory/1320-8-0x000000001B380000-0x000000001B396000-memory.dmp

Filesize
88KB

Download
memory/1320-16-0x000000001B460000-0x000000001B468000-memory.dmp

Filesize
32KB

Download
memory/1496-82-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1500-632-0x0000000003580000-0x0000000003592000-memory.dmp

Filesize
72KB

Download
memory/1996-273-0x0000019CF4E60000-0x0000019CF4FCA000-memory.dmp

Filesize
1.4MB

Download
memory/2244-270-0x00000223BF0F0000-0x00000223BF25A000-memory.dmp

Filesize
1.4MB

Download
memory/2468-269-0x000001BE7D1C0000-0x000001BE7D32A000-memory.dmp

Filesize
1.4MB

Download
memory/2540-576-0x0000000003540000-0x0000000003552000-memory.dmp

Filesize
72KB

Download
memory/2784-597-0x00000000036E0000-0x00000000036F2000-memory.dmp

Filesize
72KB

Download
memory/3932-267-0x000001ACB5880000-0x000001ACB59EA000-memory.dmp

Filesize
1.4MB

Download
memory/4332-312-0x000001D1721A0000-0x000001D17230A000-memory.dmp

Filesize
1.4MB

Download
memory/4816-268-0x00000199334B0000-0x000001993361A000-memory.dmp

Filesize
1.4MB

Download
memory/4936-259-0x00000209F0160000-0x00000209F02CA000-memory.dmp

Filesize
1.4MB

Download
memory/4960-279-0x000001E339FD0000-0x000001E33A13A000-memory.dmp

Filesize
1.4MB

Download