colibri | 2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4

Analysis

max time kernel
119s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Size

4.9MB
MD5

d8b8aede9dcb3c6ead52f11fc0826520
SHA1

6b5981a21251b5d0833a8dc8e7b4c71787c3d6e6
SHA256

2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4
SHA512

c3bbcbf837ae31dccf70e966dcb57e6bce105aef5163ebb44111fc7dc810cb34691292cd4ad30ab0e1516a75f569addfafaf6c3a4b026c2a1446f1182bb005b1
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2492	schtasks.exe
		3560	schtasks.exe
		212	schtasks.exe
		3488	schtasks.exe
		2068	schtasks.exe
		4028	schtasks.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\f3b6ecef712a24		2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
		916	schtasks.exe
		1772	schtasks.exe
		1044	schtasks.exe
		3696	schtasks.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\5b884080fd4f94		2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
		1932	schtasks.exe
		2400	schtasks.exe
		4392	schtasks.exe
		1716	schtasks.exe
		2680	schtasks.exe
		1720	schtasks.exe
		3000	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
		2932	schtasks.exe
		1580	schtasks.exe
		4416	schtasks.exe
		2552	schtasks.exe
		2832	schtasks.exe
		3584	schtasks.exe
		1832	schtasks.exe
		3740	schtasks.exe
		4756	schtasks.exe
		3320	schtasks.exe
		4856	schtasks.exe
		4456	schtasks.exe
		1540	schtasks.exe
		2504	schtasks.exe
		4204	schtasks.exe
		3764	schtasks.exe
		2012	schtasks.exe
		3776	schtasks.exe
		2436	schtasks.exe
		3044	schtasks.exe
		3256	schtasks.exe
		4704	schtasks.exe
		4348	schtasks.exe
		3416	schtasks.exe
		4384	schtasks.exe
		4240	schtasks.exe
		2036	schtasks.exe
		4200	schtasks.exe
		3992	schtasks.exe
		900	schtasks.exe
		2364	schtasks.exe
		3996	schtasks.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\29c1c3cc0f7685		2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
		5072	schtasks.exe
		2880	schtasks.exe
		4980	schtasks.exe
		1808	schtasks.exe
		224	schtasks.exe
		3580	schtasks.exe
		3920	schtasks.exe
		3788	schtasks.exe
		4060	schtasks.exe
		3648	schtasks.exe
		4956	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3956	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	3956	schtasks.exe	84

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4592-3-0x000000001B7C0000-0x000000001B8EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe
2992	powershell.exe
3920	powershell.exe
4772	powershell.exe
1716	powershell.exe
3044	powershell.exe
4980	powershell.exe
4592	powershell.exe
5108	powershell.exe
3996	powershell.exe
3164	powershell.exe
4540	powershell.exe
316	powershell.exe
3748	powershell.exe
116	powershell.exe
212	powershell.exe
3524	powershell.exe
4032	powershell.exe
3608	powershell.exe
1148	powershell.exe
1104	powershell.exe
1964	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 31 IoCs

pid	Process
3324	tmpC0F1.tmp.exe
4880	tmpC0F1.tmp.exe
452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
2544	tmpED9C.tmp.exe
1504	tmpED9C.tmp.exe
2324	conhost.exe
1848	tmp295D.tmp.exe
3764	tmp295D.tmp.exe
1084	conhost.exe
1424	tmp5956.tmp.exe
3804	tmp5956.tmp.exe
2500	conhost.exe
2732	tmp8884.tmp.exe
4900	tmp8884.tmp.exe
3364	tmp8884.tmp.exe
2068	conhost.exe
4728	tmpB8FA.tmp.exe
3856	tmpB8FA.tmp.exe
3452	conhost.exe
416	conhost.exe
4856	tmp5E2.tmp.exe
2416	tmp5E2.tmp.exe
3392	conhost.exe
3972	tmp3658.tmp.exe
928	tmp3658.tmp.exe
5072	conhost.exe
3780	tmp52F8.tmp.exe
2152	tmp52F8.tmp.exe
4104	conhost.exe
3476	tmp841A.tmp.exe
2776	tmp841A.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RCXD3E6.tmp	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Windows\SysWOW64\services.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Windows\SysWOW64\services.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Windows\SysWOW64\c5b4cb5e9653cc	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 3324 set thread context of 4880	3324	tmpC0F1.tmp.exe	129
PID 2544 set thread context of 1504	2544	tmpED9C.tmp.exe	206
PID 1848 set thread context of 3764	1848	tmp295D.tmp.exe	238
PID 1424 set thread context of 3804	1424	tmp5956.tmp.exe	245
PID 4900 set thread context of 3364	4900	tmp8884.tmp.exe	252
PID 4728 set thread context of 3856	4728	tmpB8FA.tmp.exe	258
PID 4856 set thread context of 2416	4856	tmp5E2.tmp.exe	267
PID 3972 set thread context of 928	3972	tmp3658.tmp.exe	273
PID 3780 set thread context of 2152	3780	tmp52F8.tmp.exe	279
PID 3476 set thread context of 2776	3476	tmp841A.tmp.exe	285

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\attachments\TextInputHost.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files\Uninstall Information\winlogon.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXD165.tmp	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Windows Defender\en-US\upfc.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\6203df4a6bafc7	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files\Crashpad\attachments\TextInputHost.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCXC47E.tmp	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Windows Sidebar\powershell.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCXCABA.tmp	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Uninstall Information\winlogon.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Uninstall Information\TextInputHost.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\upfc.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\f3b6ecef712a24	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\04c1e7795967e4	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Uninstall Information\22eafd247d37c3	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files\Uninstall Information\TextInputHost.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\smss.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\MSBuild\69ddcba757bf72	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\886983d96e3d3e	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Windows Sidebar\e978f868350d50	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\088424020bedd6	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Crashpad\attachments\22eafd247d37c3	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\WindowsApps\powershell.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\TrustedInstaller.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\29c1c3cc0f7685	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXD80F.tmp	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\MSBuild\smss.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Windows Defender\en-US\ea1d8f6d871115	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Program Files\Windows Sidebar\powershell.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\5b884080fd4f94	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Uninstall Information\cc11b995f2a76d	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\TrustedInstaller.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Panther\csrss.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Windows\Panther\886983d96e3d3e	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Windows\OCR\it-it\winlogon.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Windows\fr-FR\RuntimeBroker.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File opened for modification	C:\Windows\Panther\csrss.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Windows\ServiceState\EventLog\Data\wininit.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Windows\fr-FR\RuntimeBroker.exe	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
File created	C:\Windows\fr-FR\9e8d7a4ca61bd9	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC0F1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp295D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8884.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8884.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB8FA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5E2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp52F8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp841A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpED9C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5956.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3658.tmp.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3992	schtasks.exe
1716	schtasks.exe
4060	schtasks.exe
1028	schtasks.exe
1772	schtasks.exe
816	schtasks.exe
4028	schtasks.exe
3696	schtasks.exe
2240	schtasks.exe
3560	schtasks.exe
2680	schtasks.exe
1044	schtasks.exe
2028	schtasks.exe
1540	schtasks.exe
4120	schtasks.exe
1832	schtasks.exe
2492	schtasks.exe
1144	schtasks.exe
1580	schtasks.exe
4348	schtasks.exe
3584	schtasks.exe
536	schtasks.exe
1028	schtasks.exe
3776	schtasks.exe
4704	schtasks.exe
4744	schtasks.exe
3344	schtasks.exe
2328	schtasks.exe
3920	schtasks.exe
4756	schtasks.exe
212	schtasks.exe
224	schtasks.exe
3580	schtasks.exe
1012	schtasks.exe
3320	schtasks.exe
4980	schtasks.exe
2832	schtasks.exe
3740	schtasks.exe
3648	schtasks.exe
4384	schtasks.exe
4416	schtasks.exe
1832	schtasks.exe
3000	schtasks.exe
3488	schtasks.exe
2892	schtasks.exe
3996	schtasks.exe
1808	schtasks.exe
2036	schtasks.exe
4460	schtasks.exe
900	schtasks.exe
1720	schtasks.exe
4956	schtasks.exe
4240	schtasks.exe
4640	schtasks.exe
1932	schtasks.exe
3144	schtasks.exe
3788	schtasks.exe
2932	schtasks.exe
4200	schtasks.exe
2880	schtasks.exe
1076	schtasks.exe
3256	schtasks.exe
3928	schtasks.exe
3764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
116	powershell.exe
116	powershell.exe
3996	powershell.exe
3996	powershell.exe
3044	powershell.exe
3044	powershell.exe
212	powershell.exe
212	powershell.exe
4980	powershell.exe
4980	powershell.exe
5108	powershell.exe
5108	powershell.exe
3748	powershell.exe
3748	powershell.exe
3164	powershell.exe
3164	powershell.exe
2596	powershell.exe
2596	powershell.exe
3524	powershell.exe
3524	powershell.exe
116	powershell.exe
3996	powershell.exe
1964	powershell.exe
1964	powershell.exe
3524	powershell.exe
2596	powershell.exe
3044	powershell.exe
212	powershell.exe
4980	powershell.exe
5108	powershell.exe
3748	powershell.exe
3164	powershell.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	2324	conhost.exe
Token: SeDebugPrivilege	1084	conhost.exe
Token: SeDebugPrivilege	2500	conhost.exe
Token: SeDebugPrivilege	2068	conhost.exe
Token: SeDebugPrivilege	3452	conhost.exe
Token: SeDebugPrivilege	416	conhost.exe
Token: SeDebugPrivilege	3392	conhost.exe
Token: SeDebugPrivilege	5072	conhost.exe
Token: SeDebugPrivilege	4104	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 3324	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	127
PID 4592 wrote to memory of 3324	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	127
PID 4592 wrote to memory of 3324	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	127
PID 3324 wrote to memory of 4880	3324	tmpC0F1.tmp.exe	129
PID 3324 wrote to memory of 4880	3324	tmpC0F1.tmp.exe	129
PID 3324 wrote to memory of 4880	3324	tmpC0F1.tmp.exe	129
PID 3324 wrote to memory of 4880	3324	tmpC0F1.tmp.exe	129
PID 3324 wrote to memory of 4880	3324	tmpC0F1.tmp.exe	129
PID 3324 wrote to memory of 4880	3324	tmpC0F1.tmp.exe	129
PID 3324 wrote to memory of 4880	3324	tmpC0F1.tmp.exe	129
PID 4592 wrote to memory of 1964	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	133
PID 4592 wrote to memory of 1964	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	133
PID 4592 wrote to memory of 5108	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	134
PID 4592 wrote to memory of 5108	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	134
PID 4592 wrote to memory of 3996	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	135
PID 4592 wrote to memory of 3996	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	135
PID 4592 wrote to memory of 4980	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	136
PID 4592 wrote to memory of 4980	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	136
PID 4592 wrote to memory of 3748	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	137
PID 4592 wrote to memory of 3748	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	137
PID 4592 wrote to memory of 3524	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	138
PID 4592 wrote to memory of 3524	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	138
PID 4592 wrote to memory of 212	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	139
PID 4592 wrote to memory of 212	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	139
PID 4592 wrote to memory of 116	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	140
PID 4592 wrote to memory of 116	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	140
PID 4592 wrote to memory of 2596	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	141
PID 4592 wrote to memory of 2596	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	141
PID 4592 wrote to memory of 3044	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	142
PID 4592 wrote to memory of 3044	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	142
PID 4592 wrote to memory of 3164	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	143
PID 4592 wrote to memory of 3164	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	143
PID 4592 wrote to memory of 452	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	156
PID 4592 wrote to memory of 452	4592	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	156
PID 452 wrote to memory of 2544	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	204
PID 452 wrote to memory of 2544	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	204
PID 452 wrote to memory of 2544	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	204
PID 2544 wrote to memory of 1504	2544	tmpED9C.tmp.exe	206
PID 2544 wrote to memory of 1504	2544	tmpED9C.tmp.exe	206
PID 2544 wrote to memory of 1504	2544	tmpED9C.tmp.exe	206
PID 2544 wrote to memory of 1504	2544	tmpED9C.tmp.exe	206
PID 2544 wrote to memory of 1504	2544	tmpED9C.tmp.exe	206
PID 2544 wrote to memory of 1504	2544	tmpED9C.tmp.exe	206
PID 2544 wrote to memory of 1504	2544	tmpED9C.tmp.exe	206
PID 452 wrote to memory of 2992	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	207
PID 452 wrote to memory of 2992	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	207
PID 452 wrote to memory of 4032	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	208
PID 452 wrote to memory of 4032	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	208
PID 452 wrote to memory of 3920	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	210
PID 452 wrote to memory of 3920	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	210
PID 452 wrote to memory of 4772	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	211
PID 452 wrote to memory of 4772	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	211
PID 452 wrote to memory of 3608	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	212
PID 452 wrote to memory of 3608	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	212
PID 452 wrote to memory of 4540	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	213
PID 452 wrote to memory of 4540	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	213
PID 452 wrote to memory of 1148	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	214
PID 452 wrote to memory of 1148	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	214
PID 452 wrote to memory of 316	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	215
PID 452 wrote to memory of 316	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	215
PID 452 wrote to memory of 4592	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	216
PID 452 wrote to memory of 4592	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	216
PID 452 wrote to memory of 1716	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	217
PID 452 wrote to memory of 1716	452	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe	217

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
"C:\Users\Admin\AppData\Local\Temp\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4592
- C:\Users\Admin\AppData\Local\Temp\tmpC0F1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC0F1.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\tmpC0F1.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC0F1.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Users\Admin\AppData\Local\Temp\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe
  "C:\Users\Admin\AppData\Local\Temp\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\tmpED9C.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpED9C.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\tmpED9C.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpED9C.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KWrLEt72B2.bat"
    3⤵
    PID:908
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3900
  - - C:\Recovery\WindowsRE\conhost.exe
      "C:\Recovery\WindowsRE\conhost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:2324
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d035cd3-7f71-4e9b-9ce1-7520504f5f6f.vbs"
        5⤵
        
        PID:2852
      - C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7cbe956-0c5d-49a3-8558-f14f34e6468f.vbs"
        7⤵
        
        PID:3328
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\978e5652-016b-4ee1-ab32-4f5bab80fb96.vbs"
        9⤵
        
        PID:3248
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4a419c8-1061-473f-b67c-9b80e99a6e3e.vbs"
        11⤵
        
        PID:1620
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68ec6685-7d5e-4b8f-b448-d577ab8a7a9d.vbs"
        13⤵
        
        PID:2560
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\407e11c5-4eb0-431b-8097-b444470793f3.vbs"
        15⤵
        
        PID:5024
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ef20fae-3a34-48c7-9b6e-ed08a05f1bbf.vbs"
        17⤵
        
        PID:3944
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b7f761a-44b0-4dd7-8643-b1350792575d.vbs"
        19⤵
        
        PID:1540
        
        C:\Recovery\WindowsRE\conhost.exe
        
        C:\Recovery\WindowsRE\conhost.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\419db8b5-8051-46c2-bc88-41f3585c5b18.vbs"
        21⤵
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a47ac68-7aa8-4b95-a20e-03fda278589d.vbs"
        21⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp841A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp841A.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp841A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp841A.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d0892f0-8805-44ea-acc2-7831156e29bc.vbs"
        19⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp52F8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp52F8.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp52F8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp52F8.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bf4f80e-6411-4f95-844a-daaa83f24d51.vbs"
        17⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp3658.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3658.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp3658.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3658.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2802c66b-d146-456c-981f-b7803356aec9.vbs"
        15⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmp5E2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5E2.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp5E2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5E2.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47bab6ee-7fba-4783-9dc7-b8c190f09b41.vbs"
        13⤵
        
        PID:4200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77d7d426-2e57-49dc-9609-a88c85ee6969.vbs"
        11⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmpB8FA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB8FA.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmpB8FA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB8FA.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af342ad6-aa8a-4702-8428-9ad99ae1bc7b.vbs"
        9⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp8884.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8884.tmp.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\tmp8884.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8884.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp8884.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8884.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:3364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2b0ce76-713a-428f-9e9a-21880a18c9fc.vbs"
        7⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp5956.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5956.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp5956.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5956.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:3804
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43b211fe-ea86-45d9-99a2-79e7628b9ade.vbs"
        5⤵
        
        PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\tmp295D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp295D.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1848
      - C:\Users\Admin\AppData\Local\Temp\tmp295D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp295D.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Libraries\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SysWOW64\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\en-US\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Panther\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /f
1⤵
- DcRat
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\powershell.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\powershell.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /f
1⤵
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\conhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\attachments\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N2" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe'" /f
1⤵
- DcRat
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N" /sc ONLOGON /tr "'C:\Users\Default\NetHood\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N2" /sc MINUTE /mo 14 /tr "'C:\Users\Default\NetHood\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4N.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1099dc40baabde4be41cc1faf6353f7d

SHA1
345705c6b9adc64389b6d142e7484d0cdd4f2bd0

SHA256
6cec99d44ed65e73240a96691f299a41e944a9c8f59c543df3ecd73d95c8bf40

SHA512
6315f1089cc8139531acc422741290c84a60841a65a8cc9844cd907c96694d33d164120c36f460a0bef03e67e2a60c33f9c968ac41edf3dd82cab015e00e74a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
07ab6cc81c5230a598c0ad1711b6bd97

SHA1
de7e270e12d447dfc5896b7c96777eb32725778a

SHA256
900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3

SHA512
ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9a7f35c006bbf5da72f9cb250ffbddb

SHA1
458a8cedc38dac109631d9fccb3bf6d2c5c0e89e

SHA256
a1db56d56e35a6c95f98204e40f69f70422969681d408e5edc4afbf732eef86b

SHA512
d341773d30e09214567c65f24cd1854f1e438b8528aa30d35b6baac16e671dde1245edda654f19343b7c160da45985ab53f08453e7f6286e272d544f8741c131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a9451a6b9669d49bd90704dff21beb85

SHA1
5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80

SHA256
b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056

SHA512
06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dcee2c4799aaf7d786c7a18e235934c4

SHA1
92b08222812d2c4392cd5babf316c6509a1d202c

SHA256
33fb8b90e373768d57f2726dc808e2a6319dcea75ed4be819316a4bc3c2f85c1

SHA512
05986414ab12b9b52335528dc4dc1ef6fee378afa09a2858b0ea77cb0c9aaf4339ccae272bbc760ff63d31ad27e8a8206ae0152be82015f49c177cb62b515f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f545274ba19d9199a78f74cd05e8187

SHA1
4036cf78d3f310af42963c8f16ae27c5922b5dff

SHA256
3b4780cb2e226f4b05643c0b512960e694f21b35bbbe84d5c5e97628e1f8909c

SHA512
b0f66a6c32cb7f2f96b51c141ffe7df7f4fd61a792e6a3756f54b6d0df6f48d7a3bda23d46ee1e18a22ac995520fb9c4ca1b444d204bdd8f3e4b8651f59adc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d035cd3-7f71-4e9b-9ce1-7520504f5f6f.vbs

Filesize
709B

MD5
cec0fba11cc264c4362d6e88d8b7f4b3

SHA1
b155b7d0d37af3bbbc1b907414e86f2b77918a2b

SHA256
6fdf07419f06ebdec091de94caf8ff76ebe661e247b60ef92fd51c7874b19c10

SHA512
f334b027ba331035e64ef43593186e545b31a130623d1a25491efd4ef4293c1fb5e50b0ac8b650c784b6f121124306727061a8d500295537ac93a5d548c92e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\43b211fe-ea86-45d9-99a2-79e7628b9ade.vbs

Filesize
485B

MD5
ed4ca3e4ded1b2c69a3f30358cfb263a

SHA1
2b4f354f616ff07c51c44e0130b50671ebe08be4

SHA256
98804180f659f42670ab5cba87f90fc2d5458834caadf316bd5127570a07adea

SHA512
61215e4bc9fcc33eb487032777f5ca623e06119b2f71a4ba66c2e4a5df07146fb63ea40b09db64fefa55125b92d272fd621433a2321a7816c52a73118f86099c

Download Submit
C:\Users\Admin\AppData\Local\Temp\68ec6685-7d5e-4b8f-b448-d577ab8a7a9d.vbs

Filesize
709B

MD5
9490abbd24cbddc8747c08c43fe095fc

SHA1
20e99e95499a653b9ee8d42c09081d581de1d8a3

SHA256
39c47ba253c021c8c80cba860d45c766f5367acca55fd044624f6cc145935354

SHA512
a6407bf6013f1b64ac17e216ae7b3902a83a73a1c962f4e24ce5e44f3594e4621064bcde47298ab75c4fa38508be0ed2f91f859af8b9bfd23d8e09a16ee8664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\978e5652-016b-4ee1-ab32-4f5bab80fb96.vbs

Filesize
709B

MD5
35deab4beed55118bf5cc0a4f9a21589

SHA1
63e3fd856885dfc8d35df21f33d97f44857b9b7f

SHA256
1910a0098dfb87dd6b1cb54e97b782cecbb1192966b154fe8eba57b92635de1f

SHA512
775f0e308fcfe6c4c1603078474bbf859e67c18251977a63dcb461b87c363ee8e24e4dbcfcd3a98775ebd34e50068920f16860a2fa68e3bea9e32a154fca1892

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWrLEt72B2.bat

Filesize
198B

MD5
5a193de94d12307b92b6d40c80448a18

SHA1
8b91c6f1fa7110040ca76203327f6cd3720cd068

SHA256
441e8af853e828cf3689cf2a8398b89a9332e22b9c33dd93bc8c4fe9f2b8c46c

SHA512
5c82087a75289bdb5bf2fd8b49848cb9b5532fd724e658e35b4706a516cac89cc935df6a7d92f2b73adf8b89164bec1a3408bf870d0c56fc8aaa105efb10cf73

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1aqybxe.v4g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7cbe956-0c5d-49a3-8558-f14f34e6468f.vbs

Filesize
709B

MD5
5fd9af1971c62b24380bbf8af36dc087

SHA1
bb46e195c4445307574e034beea0a2fa504ddb34

SHA256
6afdeee46c3e1128e0c53031fa7e197dd1c270d90f272f0bad2e05e05f785e13

SHA512
e9d8657ec828dbf5e12c43ae0f8dee1a5cf1abbbc89e50d607ebbc222e0f1b3600ce8f8c4857406b3a4f5a77214217740c1af33b8c01cf0290a8d410aec707a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4a419c8-1061-473f-b67c-9b80e99a6e3e.vbs

Filesize
709B

MD5
1154cbe944ae308139875b1cd1cc1ba9

SHA1
79589fe283cc619e8cc2fc2e5a537f8e32cf7c8e

SHA256
dd943b165aed47e7c4be6a67ad9082352a750afcd8b263096687545311e3d472

SHA512
bb98f67f83a7293bb05a91e4919bca7411df0dd250b9b47f825662009af00575f1a664865ce01e1708985a622e9c54bd8784e1233da5e678cf592727eda22415

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0F1.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Public\Libraries\RCXC692.tmp

Filesize
4.9MB

MD5
45688e46eddadeae125590aa3210d731

SHA1
608f39ae847f338875ca86e5f745b825db778f29

SHA256
8bba56d2a29fa9dce7faa4e59a00f54a035f84359d474401326ab1bd30337737

SHA512
16105f94bf755595f0f59a9984d858afff7e67a9716cc8048622cd1f134ab0c3f6478cae30610ccc8632a8def8a38f5654d3ab337a53927b3aaa890b849c9fba

Download Submit
C:\Users\Public\Libraries\SearchApp.exe

Filesize
4.9MB

MD5
d8b8aede9dcb3c6ead52f11fc0826520

SHA1
6b5981a21251b5d0833a8dc8e7b4c71787c3d6e6

SHA256
2e98237175f01ec0b438492e9beb7c985a82827337d7926f3fe0b6316bb6c7e4

SHA512
c3bbcbf837ae31dccf70e966dcb57e6bce105aef5163ebb44111fc7dc810cb34691292cd4ad30ab0e1516a75f569addfafaf6c3a4b026c2a1446f1182bb005b1

Download Submit
memory/452-262-0x000000001BBC0000-0x000000001BBD2000-memory.dmp

Filesize
72KB

Download
memory/2068-561-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/2500-534-0x0000000003240000-0x0000000003252000-memory.dmp

Filesize
72KB

Download
memory/3044-176-0x000001E219620000-0x000001E219642000-memory.dmp

Filesize
136KB

Download
memory/4592-12-0x000000001C510000-0x000000001CA38000-memory.dmp

Filesize
5.2MB

Download
memory/4592-9-0x000000001BF40000-0x000000001BF50000-memory.dmp

Filesize
64KB

Download
memory/4592-18-0x000000001C010000-0x000000001C01C000-memory.dmp

Filesize
48KB

Download
memory/4592-16-0x000000001BFF0000-0x000000001BFF8000-memory.dmp

Filesize
32KB

Download
memory/4592-15-0x000000001BFE0000-0x000000001BFEE000-memory.dmp

Filesize
56KB

Download
memory/4592-14-0x000000001BF80000-0x000000001BF8E000-memory.dmp

Filesize
56KB

Download
memory/4592-13-0x000000001BF70000-0x000000001BF7A000-memory.dmp

Filesize
40KB

Download
memory/4592-261-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

Filesize
10.8MB

Download
memory/4592-11-0x000000001BF60000-0x000000001BF72000-memory.dmp

Filesize
72KB

Download
memory/4592-10-0x000000001BF50000-0x000000001BF5A000-memory.dmp

Filesize
40KB

Download
memory/4592-8-0x000000001B790000-0x000000001B7A6000-memory.dmp

Filesize
88KB

Download
memory/4592-17-0x000000001C000000-0x000000001C008000-memory.dmp

Filesize
32KB

Download
memory/4592-6-0x0000000002B40000-0x0000000002B48000-memory.dmp

Filesize
32KB

Download
memory/4592-7-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/4592-5-0x000000001BF90000-0x000000001BFE0000-memory.dmp

Filesize
320KB

Download
memory/4592-4-0x0000000002B20000-0x0000000002B3C000-memory.dmp

Filesize
112KB

Download
memory/4592-3-0x000000001B7C0000-0x000000001B8EE000-memory.dmp

Filesize
1.2MB

Download
memory/4592-0-0x00007FFA29163000-0x00007FFA29165000-memory.dmp

Filesize
8KB

Download
memory/4592-156-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

Filesize
10.8MB

Download
memory/4592-2-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

Filesize
10.8MB

Download
memory/4592-149-0x00007FFA29163000-0x00007FFA29165000-memory.dmp

Filesize
8KB

Download
memory/4592-1-0x0000000000570000-0x0000000000A64000-memory.dmp

Filesize
5.0MB

Download
memory/4880-72-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download