Analysis
-
max time kernel
90s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2024 23:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
Resource
win7-20240729-en
windows7-x64
17 signatures
150 seconds
General
-
Target
b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe
-
Size
4.9MB
-
MD5
736efb699e6c98e7714ac5c408182dcb
-
SHA1
5365421b2342d1e05d742affab93c76e7bc155e5
-
SHA256
b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667
-
SHA512
a9293424da54d3457c7a754b5f66324ed271ce066412b9690b8f1ed502a33501e680731c1818d2836eb68724d3236794534bc0f6fb2d75fb283d9033df3bcb98
-
SSDEEP
49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8n:n
Malware Config
Extracted
Family
colibri
Version
1.2.0
Botnet
Build1
C2
http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php
http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain
Signatures
-
Colibri family
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 740 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3092 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3260 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3860 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2952 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3684 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 812 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 636 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 712 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4876 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3448 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 640 schtasks.exe 82 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 432 640 schtasks.exe 82 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
resource yara_rule behavioral2/memory/1660-3-0x000000001B5D0000-0x000000001B6FE000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1716 powershell.exe 1968 powershell.exe 4624 powershell.exe 4660 powershell.exe 1428 powershell.exe 2276 powershell.exe 1492 powershell.exe 1496 powershell.exe 3540 powershell.exe 1952 powershell.exe 632 powershell.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation System.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Process not Found -
Executes dropped EXE 64 IoCs
pid Process 3004 tmpDB4D.tmp.exe 412 tmpDB4D.tmp.exe 1584 tmpDB4D.tmp.exe 1776 tmpDB4D.tmp.exe 5036 tmpDB4D.tmp.exe 1464 tmpDB4D.tmp.exe 1372 tmpDB4D.tmp.exe 392 tmpDB4D.tmp.exe 2448 tmpDB4D.tmp.exe 3628 tmpDB4D.tmp.exe 4668 tmpDB4D.tmp.exe 3848 tmpDB4D.tmp.exe 4200 tmpDB4D.tmp.exe 624 tmpDB4D.tmp.exe 3732 tmpDB4D.tmp.exe 3272 tmpDB4D.tmp.exe 3980 tmpDB4D.tmp.exe 4444 tmpDB4D.tmp.exe 1392 tmpDB4D.tmp.exe 3040 tmpDB4D.tmp.exe 2584 tmpDB4D.tmp.exe 1004 tmpDB4D.tmp.exe 2592 tmpDB4D.tmp.exe 3096 tmpDB4D.tmp.exe 2816 tmpDB4D.tmp.exe 1156 tmpDB4D.tmp.exe 5040 tmpDB4D.tmp.exe 3860 tmpDB4D.tmp.exe 5108 tmpDB4D.tmp.exe 2056 tmpDB4D.tmp.exe 2548 tmpDB4D.tmp.exe 748 tmpDB4D.tmp.exe 3976 tmpDB4D.tmp.exe 4600 tmpDB4D.tmp.exe 4152 tmpDB4D.tmp.exe 4980 tmpDB4D.tmp.exe 4412 tmpDB4D.tmp.exe 2284 tmpDB4D.tmp.exe 4312 tmpDB4D.tmp.exe 3832 tmpDB4D.tmp.exe 2632 tmpDB4D.tmp.exe 2536 tmpDB4D.tmp.exe 1864 tmpDB4D.tmp.exe 1468 tmpDB4D.tmp.exe 1716 tmpDB4D.tmp.exe 2824 tmpDB4D.tmp.exe 2648 tmpDB4D.tmp.exe 1860 tmpDB4D.tmp.exe 820 tmpDB4D.tmp.exe 712 tmpDB4D.tmp.exe 2124 tmpDB4D.tmp.exe 2320 tmpDB4D.tmp.exe 2668 tmpDB4D.tmp.exe 4876 tmpDB4D.tmp.exe 4392 tmpDB4D.tmp.exe 4556 tmpDB4D.tmp.exe 2664 tmpDB4D.tmp.exe 5012 tmpDB4D.tmp.exe 2036 tmpDB4D.tmp.exe 3428 tmpDB4D.tmp.exe 3544 tmpDB4D.tmp.exe 848 tmpDB4D.tmp.exe 4520 tmpDB4D.tmp.exe 2440 tmpDB4D.tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Process not Found -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 744 set thread context of 4064 744 tmp2342.tmp.exe 1311 PID 3468 set thread context of 4732 3468 Process not Found 1644 PID 3948 set thread context of 2908 3948 Process not Found 2758 PID 4400 set thread context of 3800 4400 Process not Found 3547 PID 4244 set thread context of 3604 4244 Process not Found 3716 PID 4664 set thread context of 404 4664 Process not Found 4747 PID 4692 set thread context of 4960 4692 Process not Found 4918 -
Drops file in Program Files directory 25 IoCs
description ioc Process File created C:\Program Files\Crashpad\reports\System.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files\Crashpad\reports\27d1bcfc3c54e0 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RCXE285.tmp b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files\Windows NT\Accessories\es-ES\RCXF711.tmp b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\TextInputHost.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files\Google\Chrome\RCXE081.tmp b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\TextInputHost.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\RCXF945.tmp b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files (x86)\Microsoft.NET\SearchApp.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\22eafd247d37c3 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files (x86)\Microsoft.NET\38384e6a620884 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\ed182de8bff0b2 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files\Crashpad\reports\RCXE69E.tmp b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files\Crashpad\reports\System.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RCXEEEF.tmp b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files\ModifiableWindowsApps\winlogon.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files\Google\Chrome\c5b4cb5e9653cc b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files\Windows NT\Accessories\es-ES\9e8d7a4ca61bd9 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files\Google\Chrome\services.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\SearchApp.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Program Files\Google\Chrome\services.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\System\Speech\smss.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Windows\bcastdvr\38384e6a620884 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Windows\bcastdvr\RCXFB49.tmp b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\System.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\27d1bcfc3c54e0 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Windows\appcompat\5940a34987c991 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\System.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Windows\appcompat\RCXEAC7.tmp b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Windows\appcompat\dllhost.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Windows\bcastdvr\SearchApp.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Windows\appcompat\dllhost.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File created C:\Windows\bcastdvr\SearchApp.exe b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXE8B2.tmp b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpDB4D.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings System.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings Process not Found -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2776 schtasks.exe 3260 schtasks.exe 1860 schtasks.exe 2956 schtasks.exe 4876 schtasks.exe 3448 schtasks.exe 3092 schtasks.exe 712 schtasks.exe 1384 schtasks.exe 3020 schtasks.exe 4516 schtasks.exe 3860 schtasks.exe 1628 schtasks.exe 4604 schtasks.exe 548 schtasks.exe 1836 schtasks.exe 3528 schtasks.exe 4420 schtasks.exe 3900 schtasks.exe 812 schtasks.exe 2276 schtasks.exe 872 schtasks.exe 372 schtasks.exe 1052 schtasks.exe 1468 schtasks.exe 432 schtasks.exe 5060 schtasks.exe 2452 schtasks.exe 5048 schtasks.exe 2544 schtasks.exe 2896 schtasks.exe 1864 schtasks.exe 636 schtasks.exe 2008 schtasks.exe 4664 schtasks.exe 2840 schtasks.exe 2480 schtasks.exe 4660 schtasks.exe 2824 schtasks.exe 1872 schtasks.exe 2028 schtasks.exe 2352 schtasks.exe 740 schtasks.exe 2952 schtasks.exe 2948 schtasks.exe 1552 schtasks.exe 4532 schtasks.exe 3684 schtasks.exe 3008 schtasks.exe 3956 schtasks.exe 3516 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 4624 powershell.exe 4624 powershell.exe 632 powershell.exe 632 powershell.exe 1428 powershell.exe 1496 powershell.exe 1428 powershell.exe 1496 powershell.exe 2276 powershell.exe 2276 powershell.exe 1716 powershell.exe 1716 powershell.exe 4660 powershell.exe 4660 powershell.exe 1492 powershell.exe 1492 powershell.exe 1968 powershell.exe 1968 powershell.exe 1952 powershell.exe 1952 powershell.exe 3540 powershell.exe 3540 powershell.exe 1952 powershell.exe 1428 powershell.exe 4624 powershell.exe 632 powershell.exe 1492 powershell.exe 2276 powershell.exe 1496 powershell.exe 1716 powershell.exe 4660 powershell.exe 1968 powershell.exe 3540 powershell.exe 3640 System.exe 4596 Process not Found 3356 Process not Found 2452 Process not Found -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Token: SeDebugPrivilege 4624 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 632 powershell.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeDebugPrivilege 1496 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 3540 powershell.exe Token: SeDebugPrivilege 3640 System.exe Token: SeDebugPrivilege 4596 Process not Found Token: SeDebugPrivilege 3356 Process not Found Token: SeDebugPrivilege 2452 Process not Found Token: SeDebugPrivilege 4512 Process not Found Token: SeDebugPrivilege 676 Process not Found Token: SeDebugPrivilege 5060 Process not Found Token: SeDebugPrivilege 632 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1660 wrote to memory of 3004 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 134 PID 1660 wrote to memory of 3004 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 134 PID 1660 wrote to memory of 3004 1660 b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe 134 PID 3004 wrote to memory of 412 3004 tmpDB4D.tmp.exe 136 PID 3004 wrote to memory of 412 3004 tmpDB4D.tmp.exe 136 PID 3004 wrote to memory of 412 3004 tmpDB4D.tmp.exe 136 PID 412 wrote to memory of 1584 412 tmpDB4D.tmp.exe 137 PID 412 wrote to memory of 1584 412 tmpDB4D.tmp.exe 137 PID 412 wrote to memory of 1584 412 tmpDB4D.tmp.exe 137 PID 1584 wrote to memory of 1776 1584 tmpDB4D.tmp.exe 138 PID 1584 wrote to memory of 1776 1584 tmpDB4D.tmp.exe 138 PID 1584 wrote to memory of 1776 1584 tmpDB4D.tmp.exe 138 PID 1776 wrote to memory of 5036 1776 tmpDB4D.tmp.exe 139 PID 1776 wrote to memory of 5036 1776 tmpDB4D.tmp.exe 139 PID 1776 wrote to memory of 5036 1776 tmpDB4D.tmp.exe 139 PID 5036 wrote to memory of 1464 5036 tmpDB4D.tmp.exe 140 PID 5036 wrote to memory of 1464 5036 tmpDB4D.tmp.exe 140 PID 5036 wrote to memory of 1464 5036 tmpDB4D.tmp.exe 140 PID 1464 wrote to memory of 1372 1464 tmpDB4D.tmp.exe 141 PID 1464 wrote to memory of 1372 1464 tmpDB4D.tmp.exe 141 PID 1464 wrote to memory of 1372 1464 tmpDB4D.tmp.exe 141 PID 1372 wrote to memory of 392 1372 tmpDB4D.tmp.exe 142 PID 1372 wrote to memory of 392 1372 tmpDB4D.tmp.exe 142 PID 1372 wrote to memory of 392 1372 tmpDB4D.tmp.exe 142 PID 392 wrote to memory of 2448 392 tmpDB4D.tmp.exe 203 PID 392 wrote to memory of 2448 392 tmpDB4D.tmp.exe 203 PID 392 wrote to memory of 2448 392 tmpDB4D.tmp.exe 203 PID 2448 wrote to memory of 3628 2448 tmpDB4D.tmp.exe 204 PID 2448 wrote to memory of 3628 2448 tmpDB4D.tmp.exe 204 PID 2448 wrote to memory of 3628 2448 tmpDB4D.tmp.exe 204 PID 3628 wrote to memory of 4668 3628 tmpDB4D.tmp.exe 145 PID 3628 wrote to memory of 4668 3628 tmpDB4D.tmp.exe 145 PID 3628 wrote to memory of 4668 3628 tmpDB4D.tmp.exe 145 PID 4668 wrote to memory of 3848 4668 tmpDB4D.tmp.exe 146 PID 4668 wrote to memory of 3848 4668 tmpDB4D.tmp.exe 146 PID 4668 wrote to memory of 3848 4668 tmpDB4D.tmp.exe 146 PID 3848 wrote to memory of 4200 3848 tmpDB4D.tmp.exe 147 PID 3848 wrote to memory of 4200 3848 tmpDB4D.tmp.exe 147 PID 3848 wrote to memory of 4200 3848 tmpDB4D.tmp.exe 147 PID 4200 wrote to memory of 624 4200 tmpDB4D.tmp.exe 148 PID 4200 wrote to memory of 624 4200 tmpDB4D.tmp.exe 148 PID 4200 wrote to memory of 624 4200 tmpDB4D.tmp.exe 148 PID 624 wrote to memory of 3732 624 tmpDB4D.tmp.exe 149 PID 624 wrote to memory of 3732 624 tmpDB4D.tmp.exe 149 PID 624 wrote to memory of 3732 624 tmpDB4D.tmp.exe 149 PID 3732 wrote to memory of 3272 3732 tmpDB4D.tmp.exe 150 PID 3732 wrote to memory of 3272 3732 tmpDB4D.tmp.exe 150 PID 3732 wrote to memory of 3272 3732 tmpDB4D.tmp.exe 150 PID 3272 wrote to memory of 3980 3272 tmpDB4D.tmp.exe 151 PID 3272 wrote to memory of 3980 3272 tmpDB4D.tmp.exe 151 PID 3272 wrote to memory of 3980 3272 tmpDB4D.tmp.exe 151 PID 4444 wrote to memory of 1392 4444 tmpDB4D.tmp.exe 153 PID 4444 wrote to memory of 1392 4444 tmpDB4D.tmp.exe 153 PID 4444 wrote to memory of 1392 4444 tmpDB4D.tmp.exe 153 PID 1392 wrote to memory of 3040 1392 tmpDB4D.tmp.exe 154 PID 1392 wrote to memory of 3040 1392 tmpDB4D.tmp.exe 154 PID 1392 wrote to memory of 3040 1392 tmpDB4D.tmp.exe 154 PID 3040 wrote to memory of 2584 3040 tmpDB4D.tmp.exe 155 PID 3040 wrote to memory of 2584 3040 tmpDB4D.tmp.exe 155 PID 3040 wrote to memory of 2584 3040 tmpDB4D.tmp.exe 155 PID 2584 wrote to memory of 1004 2584 tmpDB4D.tmp.exe 156 PID 2584 wrote to memory of 1004 2584 tmpDB4D.tmp.exe 156 PID 2584 wrote to memory of 1004 2584 tmpDB4D.tmp.exe 156 PID 1004 wrote to memory of 2592 1004 tmpDB4D.tmp.exe 157 -
System policy modification 1 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe"C:\Users\Admin\AppData\Local\Temp\b0f29930fd3eb0ee3807127cb7cdc14fdbba8578ac794fec5e9f225fc5c7b667.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"18⤵
- Executes dropped EXE
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"23⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"24⤵
- Executes dropped EXE
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"25⤵
- Executes dropped EXE
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"26⤵
- Executes dropped EXE
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"27⤵
- Executes dropped EXE
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"28⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"30⤵
- Executes dropped EXE
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"31⤵
- Executes dropped EXE
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"32⤵
- Executes dropped EXE
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"33⤵
- Executes dropped EXE
PID:748 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"34⤵
- Executes dropped EXE
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"35⤵
- Executes dropped EXE
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"36⤵
- Executes dropped EXE
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"37⤵
- Executes dropped EXE
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"38⤵
- Executes dropped EXE
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"39⤵
- Executes dropped EXE
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"40⤵
- Executes dropped EXE
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"41⤵
- Executes dropped EXE
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"42⤵
- Executes dropped EXE
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"43⤵
- Executes dropped EXE
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"44⤵
- Executes dropped EXE
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"45⤵
- Executes dropped EXE
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"46⤵
- Executes dropped EXE
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"47⤵
- Executes dropped EXE
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"48⤵
- Executes dropped EXE
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"49⤵
- Executes dropped EXE
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"50⤵
- Executes dropped EXE
PID:820 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"51⤵
- Executes dropped EXE
PID:712 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"52⤵
- Executes dropped EXE
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"53⤵
- Executes dropped EXE
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"54⤵
- Executes dropped EXE
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"55⤵
- Executes dropped EXE
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"56⤵
- Executes dropped EXE
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"57⤵
- Executes dropped EXE
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"58⤵
- Executes dropped EXE
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"59⤵
- Executes dropped EXE
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"60⤵
- Executes dropped EXE
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"61⤵
- Executes dropped EXE
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"62⤵
- Executes dropped EXE
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"63⤵
- Executes dropped EXE
PID:848 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"64⤵
- Executes dropped EXE
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"65⤵
- Executes dropped EXE
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"66⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"67⤵PID:4636
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"68⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"69⤵PID:1284
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"70⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"71⤵PID:3628
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"72⤵PID:2044
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"73⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"74⤵PID:3076
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"75⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"76⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"77⤵PID:440
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"78⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"79⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"80⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"81⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"82⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"83⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"84⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"85⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"86⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"87⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"88⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"89⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"90⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"91⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"92⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"93⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"94⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"95⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"96⤵PID:3692
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"97⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"98⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"99⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"100⤵PID:1604
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"101⤵
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"102⤵PID:1948
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"103⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"104⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"105⤵PID:2632
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"106⤵PID:448
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"107⤵PID:4380
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"108⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"109⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"110⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"111⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"112⤵PID:3836
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"113⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"114⤵PID:1860
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"115⤵PID:820
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"116⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"117⤵PID:464
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"118⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"119⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"120⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpDB4D.tmp.exe"121⤵PID:4364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-