colibri | 211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Size

4.9MB
MD5

e6c3b728178aafda74462752efcc0d1c
SHA1

ca9bc7682c0e6ef226c1f1390e1369b355366c8f
SHA256

211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6
SHA512

2827bf81f1686a96c1e629c8aac38bebb1947393dd0ae2d9e71619c12fc679df9668bfe05fddae04caa3d83cebe7cae4cbeee0e54173054bffadd004cc8b9c5c
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	1432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	1432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	1432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1432	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	1432	schtasks.exe	83

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3424-3-0x000000001B330000-0x000000001B45E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe
2980	powershell.exe
4964	powershell.exe
2076	powershell.exe
2520	powershell.exe
4692	powershell.exe
2140	powershell.exe
4624	powershell.exe
4576	powershell.exe
4508	powershell.exe
4960	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	unsecapp.exe

Executes dropped EXE 46 IoCs

pid	Process
4804	unsecapp.exe
4752	tmpA7E8.tmp.exe
3492	tmpA7E8.tmp.exe
588	unsecapp.exe
4996	tmpC44A.tmp.exe
116	tmpC44A.tmp.exe
2296	unsecapp.exe
2728	tmpE000.tmp.exe
4508	tmpE000.tmp.exe
3012	unsecapp.exe
3424	tmp1047.tmp.exe
4388	tmp1047.tmp.exe
1216	tmp1047.tmp.exe
1344	tmp1047.tmp.exe
2908	unsecapp.exe
3768	tmp411B.tmp.exe
4744	tmp411B.tmp.exe
2792	unsecapp.exe
444	tmp5E77.tmp.exe
1656	tmp5E77.tmp.exe
5076	unsecapp.exe
4544	tmp8EED.tmp.exe
1596	tmp8EED.tmp.exe
1800	unsecapp.exe
2420	tmpC0DA.tmp.exe
3956	tmpC0DA.tmp.exe
1232	unsecapp.exe
4996	tmpDCCE.tmp.exe
4068	tmpDCCE.tmp.exe
5024	tmpDCCE.tmp.exe
4428	tmpDCCE.tmp.exe
844	unsecapp.exe
5048	tmpD73.tmp.exe
3872	tmpD73.tmp.exe
3660	unsecapp.exe
4320	tmp3DDA.tmp.exe
2480	tmp3DDA.tmp.exe
3348	unsecapp.exe
1416	tmp6E12.tmp.exe
3644	tmp6E12.tmp.exe
4292	unsecapp.exe
996	tmp9E0B.tmp.exe
3404	tmp9E0B.tmp.exe
3860	unsecapp.exe
3380	tmpBA0F.tmp.exe
4448	tmpBA0F.tmp.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 4752 set thread context of 3492	4752	tmpA7E8.tmp.exe	126
PID 4996 set thread context of 116	4996	tmpC44A.tmp.exe	141
PID 2728 set thread context of 4508	2728	tmpE000.tmp.exe	150
PID 1216 set thread context of 1344	1216	tmp1047.tmp.exe	164
PID 3768 set thread context of 4744	3768	tmp411B.tmp.exe	173
PID 444 set thread context of 1656	444	tmp5E77.tmp.exe	182
PID 4544 set thread context of 1596	4544	tmp8EED.tmp.exe	191
PID 2420 set thread context of 3956	2420	tmpC0DA.tmp.exe	200
PID 5024 set thread context of 4428	5024	tmpDCCE.tmp.exe	212
PID 5048 set thread context of 3872	5048	tmpD73.tmp.exe	221
PID 4320 set thread context of 2480	4320	tmp3DDA.tmp.exe	231
PID 1416 set thread context of 3644	1416	tmp6E12.tmp.exe	240
PID 996 set thread context of 3404	996	tmp9E0B.tmp.exe	249
PID 3380 set thread context of 4448	3380	tmpBA0F.tmp.exe	258

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\unsecapp.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files\Java\jdk-1.8\29c1c3cc0f7685	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\RCX8203.tmp	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\unsecapp.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA7E8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC44A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC0DA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3DDA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6E12.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE000.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8EED.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD73.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E0B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1047.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1047.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1047.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp411B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5E77.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDCCE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDCCE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDCCE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBA0F.tmp.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	unsecapp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3016	schtasks.exe
4336	schtasks.exe
2960	schtasks.exe
4292	schtasks.exe
1332	schtasks.exe
3836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
3052	powershell.exe
3052	powershell.exe
2980	powershell.exe
2980	powershell.exe
2520	powershell.exe
2520	powershell.exe
4508	powershell.exe
4508	powershell.exe
2140	powershell.exe
2140	powershell.exe
4576	powershell.exe
4576	powershell.exe
4964	powershell.exe
4964	powershell.exe
3052	powershell.exe
4624	powershell.exe
4624	powershell.exe
2076	powershell.exe
2076	powershell.exe
4960	powershell.exe
4960	powershell.exe
4692	powershell.exe
4692	powershell.exe
4960	powershell.exe
4508	powershell.exe
2980	powershell.exe
4964	powershell.exe
2520	powershell.exe
4576	powershell.exe
2140	powershell.exe
4624	powershell.exe
2076	powershell.exe
4692	powershell.exe
4804	unsecapp.exe
588	unsecapp.exe
2296	unsecapp.exe
3012	unsecapp.exe
2908	unsecapp.exe
2792	unsecapp.exe
5076	unsecapp.exe
1800	unsecapp.exe
1232	unsecapp.exe
844	unsecapp.exe
3660	unsecapp.exe
3348	unsecapp.exe
4292	unsecapp.exe
3860	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	4804	unsecapp.exe
Token: SeDebugPrivilege	588	unsecapp.exe
Token: SeDebugPrivilege	2296	unsecapp.exe
Token: SeDebugPrivilege	3012	unsecapp.exe
Token: SeDebugPrivilege	2908	unsecapp.exe
Token: SeDebugPrivilege	2792	unsecapp.exe
Token: SeDebugPrivilege	5076	unsecapp.exe
Token: SeDebugPrivilege	1800	unsecapp.exe
Token: SeDebugPrivilege	1232	unsecapp.exe
Token: SeDebugPrivilege	844	unsecapp.exe
Token: SeDebugPrivilege	3660	unsecapp.exe
Token: SeDebugPrivilege	3348	unsecapp.exe
Token: SeDebugPrivilege	4292	unsecapp.exe
Token: SeDebugPrivilege	3860	unsecapp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 3052	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	90
PID 3424 wrote to memory of 3052	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	90
PID 3424 wrote to memory of 4692	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	91
PID 3424 wrote to memory of 4692	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	91
PID 3424 wrote to memory of 2140	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	92
PID 3424 wrote to memory of 2140	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	92
PID 3424 wrote to memory of 2980	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	93
PID 3424 wrote to memory of 2980	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	93
PID 3424 wrote to memory of 4624	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	94
PID 3424 wrote to memory of 4624	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	94
PID 3424 wrote to memory of 4576	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	95
PID 3424 wrote to memory of 4576	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	95
PID 3424 wrote to memory of 4964	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	96
PID 3424 wrote to memory of 4964	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	96
PID 3424 wrote to memory of 2076	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	97
PID 3424 wrote to memory of 2076	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	97
PID 3424 wrote to memory of 2520	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	98
PID 3424 wrote to memory of 2520	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	98
PID 3424 wrote to memory of 4508	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	99
PID 3424 wrote to memory of 4508	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	99
PID 3424 wrote to memory of 4960	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	100
PID 3424 wrote to memory of 4960	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	100
PID 3424 wrote to memory of 2464	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	111
PID 3424 wrote to memory of 2464	3424	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	111
PID 2464 wrote to memory of 4808	2464	cmd.exe	114
PID 2464 wrote to memory of 4808	2464	cmd.exe	114
PID 2464 wrote to memory of 4804	2464	cmd.exe	115
PID 2464 wrote to memory of 4804	2464	cmd.exe	115
PID 4804 wrote to memory of 4140	4804	unsecapp.exe	119
PID 4804 wrote to memory of 4140	4804	unsecapp.exe	119
PID 4804 wrote to memory of 636	4804	unsecapp.exe	120
PID 4804 wrote to memory of 636	4804	unsecapp.exe	120
PID 4804 wrote to memory of 4752	4804	unsecapp.exe	124
PID 4804 wrote to memory of 4752	4804	unsecapp.exe	124
PID 4804 wrote to memory of 4752	4804	unsecapp.exe	124
PID 4752 wrote to memory of 3492	4752	tmpA7E8.tmp.exe	126
PID 4752 wrote to memory of 3492	4752	tmpA7E8.tmp.exe	126
PID 4752 wrote to memory of 3492	4752	tmpA7E8.tmp.exe	126
PID 4752 wrote to memory of 3492	4752	tmpA7E8.tmp.exe	126
PID 4752 wrote to memory of 3492	4752	tmpA7E8.tmp.exe	126
PID 4752 wrote to memory of 3492	4752	tmpA7E8.tmp.exe	126
PID 4752 wrote to memory of 3492	4752	tmpA7E8.tmp.exe	126
PID 4140 wrote to memory of 588	4140	WScript.exe	131
PID 4140 wrote to memory of 588	4140	WScript.exe	131
PID 588 wrote to memory of 4576	588	unsecapp.exe	137
PID 588 wrote to memory of 4576	588	unsecapp.exe	137
PID 588 wrote to memory of 3912	588	unsecapp.exe	138
PID 588 wrote to memory of 3912	588	unsecapp.exe	138
PID 588 wrote to memory of 4996	588	unsecapp.exe	139
PID 588 wrote to memory of 4996	588	unsecapp.exe	139
PID 588 wrote to memory of 4996	588	unsecapp.exe	139
PID 4996 wrote to memory of 116	4996	tmpC44A.tmp.exe	141
PID 4996 wrote to memory of 116	4996	tmpC44A.tmp.exe	141
PID 4996 wrote to memory of 116	4996	tmpC44A.tmp.exe	141
PID 4996 wrote to memory of 116	4996	tmpC44A.tmp.exe	141
PID 4996 wrote to memory of 116	4996	tmpC44A.tmp.exe	141
PID 4996 wrote to memory of 116	4996	tmpC44A.tmp.exe	141
PID 4996 wrote to memory of 116	4996	tmpC44A.tmp.exe	141
PID 4576 wrote to memory of 2296	4576	WScript.exe	144
PID 4576 wrote to memory of 2296	4576	WScript.exe	144
PID 2296 wrote to memory of 5024	2296	unsecapp.exe	146
PID 2296 wrote to memory of 5024	2296	unsecapp.exe	146
PID 2296 wrote to memory of 5028	2296	unsecapp.exe	147
PID 2296 wrote to memory of 5028	2296	unsecapp.exe	147

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
"C:\Users\Admin\AppData\Local\Temp\211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8GXi6ILyIs.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4808
- - C:\Program Files\Java\jdk-1.8\unsecapp.exe
    "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4804
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f388d27-28c7-4afb-92e7-e51eaff1c851.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:588
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b310937-a6f2-447e-81ca-39ae1b516fa5.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e10e0726-35f7-464b-91f6-a932c1cf4e97.vbs"
        8⤵
        
        PID:5024
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4429b326-83cf-4476-93ac-c7ce93360620.vbs"
        10⤵
        
        PID:1904
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04d8ba27-680b-4d5a-b349-7f040f2d88c7.vbs"
        12⤵
        
        PID:1508
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ade8c605-3311-4917-9bf8-0b31e320aac7.vbs"
        14⤵
        
        PID:560
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45b32a48-b4f9-4f74-b8ba-d41b9dae6162.vbs"
        16⤵
        
        PID:3012
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\825002e7-023e-4770-8a22-d979301daec7.vbs"
        18⤵
        
        PID:3836
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5b98d2b-3a5d-4cc3-9313-c5906ffc4c66.vbs"
        20⤵
        
        PID:3060
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d07150ac-1bd6-4baf-b698-3da495bc76df.vbs"
        22⤵
        
        PID:5020
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60060717-3e04-45fc-b880-55d7590c3cbb.vbs"
        24⤵
        
        PID:2704
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fd7a009-3c87-43a8-aa47-f6941afbdab0.vbs"
        26⤵
        
        PID:1048
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9135a9e-2804-441b-bf46-8bed2c488c46.vbs"
        28⤵
        
        PID:3472
        
        C:\Program Files\Java\jdk-1.8\unsecapp.exe
        
        "C:\Program Files\Java\jdk-1.8\unsecapp.exe"
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6393052d-8a1a-429c-8fa1-138c0c98608b.vbs"
        30⤵
        
        PID:1920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5c37fc1-3caa-4d2f-811e-427f54838b67.vbs"
        30⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmpBA0F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBA0F.tmp.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\tmpBA0F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBA0F.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e83cef3-6313-4f10-80ab-b4cf696d9f19.vbs"
        28⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp9E0B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9E0B.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp9E0B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9E0B.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:3404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18350a72-2ab6-4a41-a9e0-a5d8beb1a397.vbs"
        26⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp6E12.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6E12.tmp.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp6E12.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6E12.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70a75ec6-695c-4f9a-bf7e-8fd537bf259d.vbs"
        24⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp3DDA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3DDA.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp3DDA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3DDA.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3955760-20c0-4313-b73c-94c8e87ddd69.vbs"
        22⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmpD73.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD73.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmpD73.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD73.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5756f5a-1f00-4258-943a-3885da308ba4.vbs"
        20⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmpDCCE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDCCE.tmp.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmpDCCE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDCCE.tmp.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmpDCCE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDCCE.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmpDCCE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDCCE.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9520c71-c5fa-423f-85ee-1b1a238a6928.vbs"
        18⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmpC0DA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC0DA.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmpC0DA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC0DA.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cacf5731-3db3-4324-b92a-83e75600d783.vbs"
        16⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp8EED.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8EED.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp8EED.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8EED.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbcdddd5-92c3-44e3-bd40-db442847a0c4.vbs"
        14⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp5E77.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5E77.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\tmp5E77.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5E77.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86f571fa-4ba9-43cd-9b0d-055ef04dbdfc.vbs"
        12⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp411B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp411B.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp411B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp411B.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92195714-4c57-4bf1-982a-d8514e4b381c.vbs"
        10⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1047.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e138dc06-315c-4e63-8432-14e2dd5dc62c.vbs"
        8⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmpE000.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE000.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\tmpE000.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE000.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4508
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\418b53c6-26d4-4dab-94ce-e31183630265.vbs"
        6⤵
        
        PID:3912
      - C:\Users\Admin\AppData\Local\Temp\tmpC44A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC44A.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmpC44A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC44A.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:116
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40bf8634-c46a-4a7b-9486-18d8e5af9ed9.vbs"
      4⤵
      PID:636
  - - C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\AppData\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk-1.8\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\unsecapp.exe

Filesize
4.9MB

MD5
d23c2dd6f83a6133d460902aea649e02

SHA1
ced651459ff7adf34dd8dc31488126d66631a4f2

SHA256
592c59dcf424c6027cd439b7cb05f6b76c8aaefa057ed4de4904c3e7323a45c6

SHA512
922e528768a4f4cddd4679b2e3a01a2853add2fca757a7590356bc06007b1cf7264a0b37a11f5922dffd5d8e4f4ef46469971f1f3d0d05ec6c59376c521181fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\unsecapp.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\04d8ba27-680b-4d5a-b349-7f040f2d88c7.vbs

Filesize
718B

MD5
beaee9f41a4b741c109355d2872c980c

SHA1
ed5df81ec52fd558445d6f7c350e2bcefe0b5d58

SHA256
7928ca54830e50f163f754ab38c4bc64362c056914bb081c3d402771ec3bb7c7

SHA512
31bd38414a9dab5c1c13b05e172b736209c189c53675f3fb776206b31e195105d7d32533a1ab76e36bd420bb89c69252d0c98593f052b2adc4748a1043f180bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f388d27-28c7-4afb-92e7-e51eaff1c851.vbs

Filesize
718B

MD5
4ab703a27daf9c09864bf08ee31f97e7

SHA1
8eca7ac1d508e02cd0e352d37c5aa289d84be0fd

SHA256
f6f7e43a5508d27421ad7b77c4da40e46155799dfa5b5da17a78f39c2009b56d

SHA512
bc1d6424e2ed8e5242af3999757216fc171e6fb9a24ddf147c7683d415bad8626552e95d7e0da40374e12992fdd62c935628b558ae78158c46259e4ae6c7a107

Download Submit
C:\Users\Admin\AppData\Local\Temp\40bf8634-c46a-4a7b-9486-18d8e5af9ed9.vbs

Filesize
494B

MD5
29bcf149adf14ed378dbe0bfee1a52fd

SHA1
a694331ce3ba81fc29588fdf09458e0df884c074

SHA256
593af1650015982353648754e3cbfae08c0bd44eda6f53ddee4477e4b6ba0345

SHA512
437ef181c6da289d4a8c4de0da8cc1b36263c5ce3273e5f2f09f9c6f90b8a556f5721aacdb0e6d909e3a6b08258c41a7c15f419af4991f81e7806728279560eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4429b326-83cf-4476-93ac-c7ce93360620.vbs

Filesize
718B

MD5
ccddd0aac987ce19c2af3e0151f393d9

SHA1
3eda502f365575c095cfbbac89b32e93680d0cda

SHA256
1943dd30e8f13842847eeee696d1242c35bcca92407d5fa1a4f0785735994071

SHA512
3ff10ac1d6d360cb699797d31373bc27a12c2720a8e420c21dde651cd78c09bf7492dc05daeb55e1f70272ace9b7ee855e5d25a24839e4b24daa209930ff2611

Download Submit
C:\Users\Admin\AppData\Local\Temp\45b32a48-b4f9-4f74-b8ba-d41b9dae6162.vbs

Filesize
718B

MD5
075fb416ec86829fbd2f9cb073894971

SHA1
a09e7a933d874167ccc3598271347ddf8f280c2e

SHA256
a4dcb5a0c48bc4ac44903f9d5a0f494807473aeb0cd3a6275f05b29542715cc0

SHA512
40c340a6df16aa960d06a893ad2727ad78ccdb2e3a82f155908b4c8c399e3f8a5e08fece9d954cc529014d38638ea96ea0ab280aa8b04005878036819b494a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\8GXi6ILyIs.bat

Filesize
207B

MD5
d53533482ef2996df0aa9d4a682a7110

SHA1
a701f3947e21320a38a38595a08617dd3ee93f5b

SHA256
643e751445df2b3d1e46721af8c18b95c4ff568b2299483542d9043bf1381380

SHA512
f4cd40bcb713d94d3140ceab606cbdb525b240cc6234f4604930d77c4e462574ea02a9d2605e7a7fb14a5811732ee823a37baff59e9d482eaa13a301bae7ad8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b310937-a6f2-447e-81ca-39ae1b516fa5.vbs

Filesize
717B

MD5
fce48d6c1f368e8cb6d7e79ec2b48941

SHA1
5eda508d2e71133eb9bf13ffd9ddc1c2f92079b2

SHA256
9ab887302c4643b53b76cdf3e7da744fcf4b38d7b089a6f799e08dba418a4509

SHA512
950e000ef23437db767d2a2353575f5c976c34f011829296f906505c40f5c58beac3a5dd49461d5a7df420d6c71afa3ff8cb850ac5df3bd4d54b6a7f8d317654

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgmxqknd.sen.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ade8c605-3311-4917-9bf8-0b31e320aac7.vbs

Filesize
718B

MD5
2125dabc25cb2cecb02a4e2b32cc43be

SHA1
5acfa5d4ba4febd4323911160a080a599ac0717d

SHA256
2520776e43da40e09b366c4fe22df64cc54ca5fa55c23f0ce49cb9ccd09801d2

SHA512
b2ade034d7c533fc04252da2b5755e0fb64e7b708a0e63bee7f4fc0b27eec682e570795d623212306ec6ed0fd091fb3ad4fa61dcc45da83d365f6d3fc8582194

Download Submit
C:\Users\Admin\AppData\Local\Temp\e10e0726-35f7-464b-91f6-a932c1cf4e97.vbs

Filesize
718B

MD5
2aa96660014899eac1540c40fd40433c

SHA1
c2184ba3d936b47aaaa132df229c2441bfa87a3a

SHA256
928d3c089f297ec94befcee0bc2bce4e88940bb5e0edd90107f31736dcd355cf

SHA512
08a9fe8b0e9f1d7496d8d812ace874bbb2b27784a81f6e46b0df24665edc13f8d1498bb3c0acde04669f9ff65ee10562341e07ff7e0cd394f81d564af202e0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8e9e1053a6e45a09172be457ddfb669a53a3ecf.exe

Filesize
4.9MB

MD5
eae53741d2afb34d23c3617e8f029848

SHA1
a7cf69431f600f20e376a9c84893abe1c41892c3

SHA256
0278c73f176347979192f3b7553d7822878ffc2591549116b8f6431887ff3ed1

SHA512
027fa483db9e7da81dbd67df6f802f07cce092c27b1c67b87937e162a3ffa785e715ff3256015f0b040118ec6afc268ae1a934e846546c7f899c0619af5eec8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7E8.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Default\AppData\upfc.exe

Filesize
4.9MB

MD5
e6c3b728178aafda74462752efcc0d1c

SHA1
ca9bc7682c0e6ef226c1f1390e1369b355366c8f

SHA256
211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6

SHA512
2827bf81f1686a96c1e629c8aac38bebb1947393dd0ae2d9e71619c12fc679df9668bfe05fddae04caa3d83cebe7cae4cbeee0e54173054bffadd004cc8b9c5c

Download Submit
memory/2076-180-0x00000235F3DE0000-0x00000235F3E28000-memory.dmp

Filesize
288KB

Download
memory/2140-170-0x000002946EDA0000-0x000002946EDE8000-memory.dmp

Filesize
288KB

Download
memory/2296-232-0x000000001BB60000-0x000000001BB72000-memory.dmp

Filesize
72KB

Download
memory/2520-163-0x000001D56E710000-0x000001D56E758000-memory.dmp

Filesize
288KB

Download
memory/2980-165-0x0000024318440000-0x0000024318488000-memory.dmp

Filesize
288KB

Download
memory/3052-47-0x0000023DCAAE0000-0x0000023DCAB02000-memory.dmp

Filesize
136KB

Download
memory/3052-149-0x0000023DCAB40000-0x0000023DCAB88000-memory.dmp

Filesize
288KB

Download
memory/3424-14-0x000000001BBF0000-0x000000001BBFE000-memory.dmp

Filesize
56KB

Download
memory/3424-12-0x000000001C110000-0x000000001C638000-memory.dmp

Filesize
5.2MB

Download
memory/3424-1-0x0000000000190000-0x0000000000684000-memory.dmp

Filesize
5.0MB

Download
memory/3424-2-0x00007FF9CFB50000-0x00007FF9D0611000-memory.dmp

Filesize
10.8MB

Download
memory/3424-60-0x00007FF9CFB50000-0x00007FF9D0611000-memory.dmp

Filesize
10.8MB

Download
memory/3424-16-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/3424-17-0x000000001BC20000-0x000000001BC28000-memory.dmp

Filesize
32KB

Download
memory/3424-18-0x000000001BC30000-0x000000001BC3C000-memory.dmp

Filesize
48KB

Download
memory/3424-13-0x000000001BBE0000-0x000000001BBEA000-memory.dmp

Filesize
40KB

Download
memory/3424-3-0x000000001B330000-0x000000001B45E000-memory.dmp

Filesize
1.2MB

Download
memory/3424-4-0x000000001B460000-0x000000001B47C000-memory.dmp

Filesize
112KB

Download
memory/3424-0-0x00007FF9CFB53000-0x00007FF9CFB55000-memory.dmp

Filesize
8KB

Download
memory/3424-5-0x000000001BB80000-0x000000001BBD0000-memory.dmp

Filesize
320KB

Download
memory/3424-15-0x000000001BC00000-0x000000001BC0E000-memory.dmp

Filesize
56KB

Download
memory/3424-7-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/3424-8-0x000000001BB40000-0x000000001BB56000-memory.dmp

Filesize
88KB

Download
memory/3424-11-0x000000001BBD0000-0x000000001BBE2000-memory.dmp

Filesize
72KB

Download
memory/3424-10-0x000000001BB70000-0x000000001BB7A000-memory.dmp

Filesize
40KB

Download
memory/3424-9-0x000000001BB60000-0x000000001BB70000-memory.dmp

Filesize
64KB

Download
memory/3424-6-0x000000001B480000-0x000000001B488000-memory.dmp

Filesize
32KB

Download
memory/3492-204-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3660-406-0x0000000003140000-0x0000000003152000-memory.dmp

Filesize
72KB

Download
memory/4508-155-0x0000020118320000-0x0000020118368000-memory.dmp

Filesize
288KB

Download
memory/4576-171-0x0000026E2FB00000-0x0000026E2FB48000-memory.dmp

Filesize
288KB

Download
memory/4624-176-0x0000029CE60F0000-0x0000029CE6138000-memory.dmp

Filesize
288KB

Download
memory/4692-177-0x0000021874440000-0x0000021874488000-memory.dmp

Filesize
288KB

Download
memory/4804-184-0x0000000000C10000-0x0000000001104000-memory.dmp

Filesize
5.0MB

Download
memory/4960-164-0x00000227C5040000-0x00000227C5088000-memory.dmp

Filesize
288KB

Download
memory/4964-156-0x00000221F5EE0000-0x00000221F5F28000-memory.dmp

Filesize
288KB

Download
memory/5076-331-0x0000000003660000-0x0000000003672000-memory.dmp

Filesize
72KB

Download