colibri | 0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Size

4.9MB
MD5

8ae5271e85f7f0ff3bd5df1f96d57b40
SHA1

9bb09274523bc1b88f7c48922549a9c7464f2027
SHA256

0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5
SHA512

4b02bc90828f55e2510221b6c334d4c4ebe706be3ab8371b1e222bf8cd939407a40e76a0d1d1df3d14309c7ca6eec89c96bb7dc590ed990206e773577a17d8e6
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	5028	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	5028	schtasks.exe	83

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2384-3-0x000000001BAB0000-0x000000001BBDE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4824	powershell.exe
3728	powershell.exe
4220	powershell.exe
4104	powershell.exe
1548	powershell.exe
628	powershell.exe
2212	powershell.exe
4488	powershell.exe
2484	powershell.exe
4316	powershell.exe
4160	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 37 IoCs

pid	Process
636	tmp144.tmp.exe
2084	tmp144.tmp.exe
4976	tmp144.tmp.exe
640	OfficeClickToRun.exe
4920	tmp32D3.tmp.exe
768	tmp32D3.tmp.exe
3904	OfficeClickToRun.exe
1412	tmp54A3.tmp.exe
2512	tmp54A3.tmp.exe
4964	tmp54A3.tmp.exe
3584	tmp54A3.tmp.exe
4748	OfficeClickToRun.exe
4988	tmp84CB.tmp.exe
1044	tmp84CB.tmp.exe
3580	OfficeClickToRun.exe
4824	tmpA1AA.tmp.exe
1552	tmpA1AA.tmp.exe
2856	OfficeClickToRun.exe
2940	tmpBE1B.tmp.exe
3532	tmpBE1B.tmp.exe
1044	OfficeClickToRun.exe
2368	tmpEF2D.tmp.exe
1720	tmpEF2D.tmp.exe
3456	OfficeClickToRun.exe
1532	tmpE3F.tmp.exe
2328	tmpE3F.tmp.exe
1572	OfficeClickToRun.exe
736	tmp5589.tmp.exe
4884	tmp5589.tmp.exe
220	tmp5589.tmp.exe
4108	OfficeClickToRun.exe
3328	tmp864D.tmp.exe
4536	tmp864D.tmp.exe
2280	tmp864D.tmp.exe
868	OfficeClickToRun.exe
4796	tmpB721.tmp.exe
4720	tmpB721.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 4976	2084	tmp144.tmp.exe	129
PID 4920 set thread context of 768	4920	tmp32D3.tmp.exe	168
PID 4964 set thread context of 3584	4964	tmp54A3.tmp.exe	180
PID 4988 set thread context of 1044	4988	tmp84CB.tmp.exe	192
PID 4824 set thread context of 1552	4824	tmpA1AA.tmp.exe	200
PID 2940 set thread context of 3532	2940	tmpBE1B.tmp.exe	210
PID 2368 set thread context of 1720	2368	tmpEF2D.tmp.exe	220
PID 1532 set thread context of 2328	1532	tmpE3F.tmp.exe	230
PID 4884 set thread context of 220	4884	tmp5589.tmp.exe	240
PID 4536 set thread context of 2280	4536	tmp864D.tmp.exe	250
PID 4796 set thread context of 4720	4796	tmpB721.tmp.exe	260

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\OfficeClickToRun.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Program Files (x86)\Internet Explorer\fontdrvhost.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\System.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Program Files\dotnet\swidtag\27d1bcfc3c54e0	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RCX7B1.tmp	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXA42.tmp	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fontdrvhost.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\886983d96e3d3e	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Program Files\dotnet\swidtag\System.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX58D.tmp	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\OfficeClickToRun.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCX12F0.tmp	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\System.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\e6c9b481da804f	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Program Files (x86)\Internet Explorer\5b884080fd4f94	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\27d1bcfc3c54e0	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCX1504.tmp	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Program Files\dotnet\swidtag\System.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\Writers\Application\RCX1C2B.tmp	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Windows\Vss\Writers\Application\Registry.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Windows\PLA\sihost.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Windows\PLA\66fc9ff0ee96c2	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Windows\Vss\Writers\Application\Registry.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File created	C:\Windows\Vss\Writers\Application\ee2ad38f3d4382	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Windows\PLA\RCX1A17.tmp	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
File opened for modification	C:\Windows\PLA\sihost.exe	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBE1B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5589.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp144.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA1AA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEF2D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE3F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp864D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp864D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp32D3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp54A3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp54A3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5589.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp144.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp54A3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp84CB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB721.tmp.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OfficeClickToRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1572	schtasks.exe
2936	schtasks.exe
4528	schtasks.exe
2512	schtasks.exe
4236	schtasks.exe
1140	schtasks.exe
2960	schtasks.exe
988	schtasks.exe
2524	schtasks.exe
2396	schtasks.exe
3568	schtasks.exe
4820	schtasks.exe
1468	schtasks.exe
4476	schtasks.exe
4220	schtasks.exe
3836	schtasks.exe
2288	schtasks.exe
1856	schtasks.exe
3880	schtasks.exe
4048	schtasks.exe
1352	schtasks.exe
2108	schtasks.exe
2424	schtasks.exe
4072	schtasks.exe
2332	schtasks.exe
2616	schtasks.exe
2692	schtasks.exe
2352	schtasks.exe
1044	schtasks.exe
5052	schtasks.exe
5100	schtasks.exe
900	schtasks.exe
2484	schtasks.exe
2796	schtasks.exe
4512	schtasks.exe
5108	schtasks.exe
3644	schtasks.exe
3620	schtasks.exe
412	schtasks.exe
5056	schtasks.exe
1028	schtasks.exe
2932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
4160	powershell.exe
4160	powershell.exe
2484	powershell.exe
2484	powershell.exe
3728	powershell.exe
3728	powershell.exe
4316	powershell.exe
4316	powershell.exe
4104	powershell.exe
4104	powershell.exe
4488	powershell.exe
4488	powershell.exe
2212	powershell.exe
2212	powershell.exe
4824	powershell.exe
4824	powershell.exe
628	powershell.exe
628	powershell.exe
4220	powershell.exe
4220	powershell.exe
1548	powershell.exe
1548	powershell.exe
2484	powershell.exe
4160	powershell.exe
4316	powershell.exe
3728	powershell.exe
4824	powershell.exe
2212	powershell.exe
4104	powershell.exe
4488	powershell.exe
628	powershell.exe
4220	powershell.exe
1548	powershell.exe
640	OfficeClickToRun.exe
640	OfficeClickToRun.exe
3904	OfficeClickToRun.exe
4748	OfficeClickToRun.exe
3580	OfficeClickToRun.exe
2856	OfficeClickToRun.exe
1044	OfficeClickToRun.exe
3456	OfficeClickToRun.exe
1572	OfficeClickToRun.exe
4108	OfficeClickToRun.exe
868	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	640	OfficeClickToRun.exe
Token: SeDebugPrivilege	3904	OfficeClickToRun.exe
Token: SeDebugPrivilege	4748	OfficeClickToRun.exe
Token: SeDebugPrivilege	3580	OfficeClickToRun.exe
Token: SeDebugPrivilege	2856	OfficeClickToRun.exe
Token: SeDebugPrivilege	1044	OfficeClickToRun.exe
Token: SeDebugPrivilege	3456	OfficeClickToRun.exe
Token: SeDebugPrivilege	1572	OfficeClickToRun.exe
Token: SeDebugPrivilege	4108	OfficeClickToRun.exe
Token: SeDebugPrivilege	868	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 636	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	126
PID 2384 wrote to memory of 636	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	126
PID 2384 wrote to memory of 636	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	126
PID 636 wrote to memory of 2084	636	tmp144.tmp.exe	128
PID 636 wrote to memory of 2084	636	tmp144.tmp.exe	128
PID 636 wrote to memory of 2084	636	tmp144.tmp.exe	128
PID 2084 wrote to memory of 4976	2084	tmp144.tmp.exe	129
PID 2084 wrote to memory of 4976	2084	tmp144.tmp.exe	129
PID 2084 wrote to memory of 4976	2084	tmp144.tmp.exe	129
PID 2084 wrote to memory of 4976	2084	tmp144.tmp.exe	129
PID 2084 wrote to memory of 4976	2084	tmp144.tmp.exe	129
PID 2084 wrote to memory of 4976	2084	tmp144.tmp.exe	129
PID 2084 wrote to memory of 4976	2084	tmp144.tmp.exe	129
PID 2384 wrote to memory of 1548	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	137
PID 2384 wrote to memory of 1548	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	137
PID 2384 wrote to memory of 2484	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	138
PID 2384 wrote to memory of 2484	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	138
PID 2384 wrote to memory of 4316	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	139
PID 2384 wrote to memory of 4316	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	139
PID 2384 wrote to memory of 628	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	140
PID 2384 wrote to memory of 628	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	140
PID 2384 wrote to memory of 4160	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	141
PID 2384 wrote to memory of 4160	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	141
PID 2384 wrote to memory of 2212	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	142
PID 2384 wrote to memory of 2212	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	142
PID 2384 wrote to memory of 4488	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	143
PID 2384 wrote to memory of 4488	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	143
PID 2384 wrote to memory of 4824	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	144
PID 2384 wrote to memory of 4824	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	144
PID 2384 wrote to memory of 3728	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	145
PID 2384 wrote to memory of 3728	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	145
PID 2384 wrote to memory of 4220	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	146
PID 2384 wrote to memory of 4220	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	146
PID 2384 wrote to memory of 4104	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	147
PID 2384 wrote to memory of 4104	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	147
PID 2384 wrote to memory of 640	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	159
PID 2384 wrote to memory of 640	2384	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe	159
PID 640 wrote to memory of 4920	640	OfficeClickToRun.exe	165
PID 640 wrote to memory of 4920	640	OfficeClickToRun.exe	165
PID 640 wrote to memory of 4920	640	OfficeClickToRun.exe	165
PID 640 wrote to memory of 3332	640	OfficeClickToRun.exe	167
PID 640 wrote to memory of 3332	640	OfficeClickToRun.exe	167
PID 4920 wrote to memory of 768	4920	tmp32D3.tmp.exe	168
PID 4920 wrote to memory of 768	4920	tmp32D3.tmp.exe	168
PID 4920 wrote to memory of 768	4920	tmp32D3.tmp.exe	168
PID 4920 wrote to memory of 768	4920	tmp32D3.tmp.exe	168
PID 4920 wrote to memory of 768	4920	tmp32D3.tmp.exe	168
PID 4920 wrote to memory of 768	4920	tmp32D3.tmp.exe	168
PID 4920 wrote to memory of 768	4920	tmp32D3.tmp.exe	168
PID 640 wrote to memory of 2476	640	OfficeClickToRun.exe	169
PID 640 wrote to memory of 2476	640	OfficeClickToRun.exe	169
PID 3332 wrote to memory of 3904	3332	WScript.exe	172
PID 3332 wrote to memory of 3904	3332	WScript.exe	172
PID 3904 wrote to memory of 1712	3904	OfficeClickToRun.exe	174
PID 3904 wrote to memory of 1712	3904	OfficeClickToRun.exe	174
PID 3904 wrote to memory of 556	3904	OfficeClickToRun.exe	175
PID 3904 wrote to memory of 556	3904	OfficeClickToRun.exe	175
PID 3904 wrote to memory of 1412	3904	OfficeClickToRun.exe	176
PID 3904 wrote to memory of 1412	3904	OfficeClickToRun.exe	176
PID 3904 wrote to memory of 1412	3904	OfficeClickToRun.exe	176
PID 1412 wrote to memory of 2512	1412	tmp54A3.tmp.exe	178
PID 1412 wrote to memory of 2512	1412	tmp54A3.tmp.exe	178
PID 1412 wrote to memory of 2512	1412	tmp54A3.tmp.exe	178
PID 2512 wrote to memory of 4964	2512	tmp54A3.tmp.exe	179

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe
"C:\Users\Admin\AppData\Local\Temp\0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384
- C:\Users\Admin\AppData\Local\Temp\tmp144.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp144.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\tmp144.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp144.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\tmp144.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp144.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Recovery\WindowsRE\OfficeClickToRun.exe
  "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp32D3.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:768
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f2300e2-6ef1-4f1b-8ad6-dad3b25d2d6c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Recovery\WindowsRE\OfficeClickToRun.exe
      C:\Recovery\WindowsRE\OfficeClickToRun.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3904
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17aff54e-8f29-4332-868e-588c97e13164.vbs"
        5⤵
        
        PID:1712
      - C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8adb25b0-a4b7-4955-8ad9-b270ba594bca.vbs"
        7⤵
        
        PID:4604
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66f5822c-f2cb-4a96-bb04-8a588a75878b.vbs"
        9⤵
        
        PID:2276
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0a01a27-6dc4-457a-a66a-6c9e16770610.vbs"
        11⤵
        
        PID:3412
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70102a61-9245-432d-8e2d-a1f98d2b2576.vbs"
        13⤵
        
        PID:3156
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a14f37e-c3d5-4b12-ac8b-1937295838c5.vbs"
        15⤵
        
        PID:700
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c3b6103-ae31-4a32-8bae-3d3951e4fa3e.vbs"
        17⤵
        
        PID:1620
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8aecd2a-a695-4b86-a57a-4a3b8a1e92d1.vbs"
        19⤵
        
        PID:1352
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aea23667-d6a9-43d9-aaa2-3c57aa5c9a11.vbs"
        21⤵
        
        PID:1052
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        C:\Recovery\WindowsRE\OfficeClickToRun.exe
        22⤵
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e9c02e6-216c-444d-b01c-8d3ffef524b3.vbs"
        21⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmpB721.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB721.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmpB721.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB721.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\341729da-e0ae-4357-be90-b47540c5467f.vbs"
        19⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp864D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp864D.tmp.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp864D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp864D.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp864D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp864D.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e576a2b-34e1-4c67-9ebb-e9f8943d4f4e.vbs"
        17⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp5589.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5589.tmp.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp5589.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5589.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp5589.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5589.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d03cd21-65ea-461e-aaee-d4c158f730cd.vbs"
        15⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmpE3F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE3F.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmpE3F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE3F.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\457d0ee3-a146-4221-ae76-dd3616a48443.vbs"
        13⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmpEF2D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEF2D.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\tmpEF2D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEF2D.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\221d74d0-25dc-4b54-9e0e-9b0aeb9cf85c.vbs"
        11⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmpBE1B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBE1B.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmpBE1B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBE1B.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a0dd35d-1ed9-426c-8efb-b17a33b478bb.vbs"
        9⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmpA1AA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA1AA.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmpA1AA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA1AA.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b2cba87-713a-47f7-b864-3b5c391cc877.vbs"
        7⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp84CB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp84CB.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp84CB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp84CB.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:1044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4279174-9be5-4c47-ac43-b0d83f34d95f.vbs"
        5⤵
        
        PID:556
    - - C:\Users\Admin\AppData\Local\Temp\tmp54A3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp54A3.tmp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Users\Admin\AppData\Local\Temp\tmp54A3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp54A3.tmp.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp54A3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp54A3.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp54A3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp54A3.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:3584
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b753d806-f7a7-459e-b9d6-5ffa3f8e4f9a.vbs"
    3⤵
    PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Saved Games\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\swidtag\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\PLA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\Application\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\Application\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\fontdrvhost.exe

Filesize
4.9MB

MD5
8ae5271e85f7f0ff3bd5df1f96d57b40

SHA1
9bb09274523bc1b88f7c48922549a9c7464f2027

SHA256
0f65cda1b8996dcb7b0352359dc6226e69f010a7d9f4335e64acecaad904f4b5

SHA512
4b02bc90828f55e2510221b6c334d4c4ebe706be3ab8371b1e222bf8cd939407a40e76a0d1d1df3d14309c7ca6eec89c96bb7dc590ed990206e773577a17d8e6

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
4.9MB

MD5
5ab5410ffdf79d844c66559fe8029ac9

SHA1
59e9189bc0e72054108be465e5ad12f21d33647a

SHA256
ddf8c8aea5e732a39867a5fae500ebb6cc60852f19661be7e1d03e7818177cf1

SHA512
dd778619e02bbd18785e94668c6588966a3df08933cc6d673d997fbf2692b7475a426e9394539a17d74a8697a283d03a4bc38ca503656890943f4b1ae018cf8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0a14f37e-c3d5-4b12-ac8b-1937295838c5.vbs

Filesize
718B

MD5
e7f1f4bdaca3b2b072b121629161b561

SHA1
2d2317fab425ba12d9a8f1d9a04ba28baca39db1

SHA256
c09388678b8e8365b0e6497bf5818d20e60b1bb4ab24b1fa5fe43389378ee770

SHA512
e04fee030feaecbdb20a2dbeba32d81df238616ab0c7c8e762214602a4d2864591f5c1845c93fba5a14a9c835414b7e1d5f4f76f705e799afffdce510c2a1a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\17aff54e-8f29-4332-868e-588c97e13164.vbs

Filesize
718B

MD5
e732fbfd2f9aab1db91f61a07c3eaa89

SHA1
32985ab07b04275f5faacd457223245a342ab948

SHA256
8129058d01495e85afe7ce3290544172166ca6c109541ff1ca249aa8cb148a98

SHA512
37c98b770ce09eb5154b4fe8ce210bfcd617f78c07318025e31f41de78920141f424e69e059a0180590ae3dc6b3aa00f96f4a3cf5652b11bcafc59fea37538d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f2300e2-6ef1-4f1b-8ad6-dad3b25d2d6c.vbs

Filesize
717B

MD5
9ff39ec39f392767c1ebe153fdcfb87b

SHA1
8f010142c0f1fea177140028afc29a1f90d64521

SHA256
3594864f9e2b592f461e91c10b308e0f063258f64a0e89aed6c73c79d482e31c

SHA512
8eff6f16468490bae95247807a2d2f979bee49d8c8314825aae844ecca7ac86c4a0417a4a0f4ba4a90d55a4a3ac606feeca93c2e39278de63d86e4ed9c2a7678

Download Submit
C:\Users\Admin\AppData\Local\Temp\66f5822c-f2cb-4a96-bb04-8a588a75878b.vbs

Filesize
718B

MD5
f13cd24244fc47f759631cda63961c62

SHA1
36e2810c6fe65cea89dba340007d46520f38a75e

SHA256
45d3318535f80452ea3cbb5898480da75f0d049176701eef70e0c2399f6b8f6c

SHA512
cfe31298ece4e7aca3a500507d762d6b818ca44c2acf9eb2cca92f66ae947239a50ba83df1b347230b2623c3cc787d25254f824d2496cbd3e6beed789d9e5b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\70102a61-9245-432d-8e2d-a1f98d2b2576.vbs

Filesize
718B

MD5
4ae156e0d5100f5c8ab5e643ee4f6fde

SHA1
9d6f1e5a3fd2d57a30db7f3f1d226102bbf2162e

SHA256
77cd6076fe452cb9c73b5e4a1a84551a7555d4f63cd71f0dbe45aed058f8beed

SHA512
9b17151947b700811fddf5340a39eca4eb7c3ad7d0a20bbd12e1de07bcdcae55e3ba288cecaf983709d16b89b587cad50e26cd606e32318e1775c260f1a60585

Download Submit
C:\Users\Admin\AppData\Local\Temp\8adb25b0-a4b7-4955-8ad9-b270ba594bca.vbs

Filesize
718B

MD5
8ddbc908c55a3d047e97467e612a6841

SHA1
5f100055e6679220766ba1c2ccf34adbe0aa068a

SHA256
785637e3c734601c6cb4085138def16c226c8dc2d46b3b51d78d8998e0880cea

SHA512
dc2bdf0312ba1e5ca5d91af69322386ff93303bad295cf0ed683bb0a663ae2b96d907239447000bec70cc6469f9c632f04006f77ed13b79a11c671fa587d07d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysktej1b.15y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b753d806-f7a7-459e-b9d6-5ffa3f8e4f9a.vbs

Filesize
494B

MD5
0caa46b2c64eb023a561b6b87ab83fcd

SHA1
b2777a0835d16d2d555c2c6d18db51f32391e00c

SHA256
7930aec85afca5ef47b482adc0efd64a29547ea7a5d4d8d453ae8b08fe2f11ea

SHA512
a4c47b2b0ddd4f8a576ede80a2f3411000262a04b6fc1be802e9ede0f9845cf1a565c88dad8c77e9d8919cde68227fa4731ebd1b86b8dd4cfa012d1b3cbad338

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0a01a27-6dc4-457a-a66a-6c9e16770610.vbs

Filesize
718B

MD5
a80939c27b61d083a1507279ea15067d

SHA1
11cdabc0a91e731cefc303e43b2a532b1d98f64d

SHA256
8c4f844a4dcba3c03d37e921e77aab970ee52e70d70abc0f372743db531ff162

SHA512
4c685b4f20c81a8d1264cc6fd1eebdacebfd1ac28a1a0d7ebc37f8d61d87a7b58b26480c0456e2e410c446e8c254fe45e947e9b5166c534517c4a91a77ab00b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp144.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\PLA\RCX1A17.tmp

Filesize
4.9MB

MD5
6688b00b71308f75c2ad2163ad9abd67

SHA1
0c673f452d3c8151e65b34931e4948bff13e5cfe

SHA256
bb5e11a470c5bb43164b9bafecd78cc97cc952dfa8dda56dd3ed078c53ce3092

SHA512
ee380dbdd54b229524c58d66d7c34c711fa280ce80e21492462905415863df2b3f4f55034963fe477e3ccc6635b9c066e3b7d02fb89726a51c802678ff7635ff

Download Submit
memory/640-314-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download
memory/2384-315-0x00007FFE642D0000-0x00007FFE64D91000-memory.dmp

Filesize
10.8MB

Download
memory/2384-8-0x0000000002C60000-0x0000000002C76000-memory.dmp

Filesize
88KB

Download
memory/2384-18-0x0000000002D60000-0x0000000002D6C000-memory.dmp

Filesize
48KB

Download
memory/2384-126-0x00007FFE642D3000-0x00007FFE642D5000-memory.dmp

Filesize
8KB

Download
memory/2384-16-0x0000000002D40000-0x0000000002D48000-memory.dmp

Filesize
32KB

Download
memory/2384-140-0x00007FFE642D0000-0x00007FFE64D91000-memory.dmp

Filesize
10.8MB

Download
memory/2384-2-0x00007FFE642D0000-0x00007FFE64D91000-memory.dmp

Filesize
10.8MB

Download
memory/2384-13-0x0000000002D10000-0x0000000002D1A000-memory.dmp

Filesize
40KB

Download
memory/2384-14-0x0000000002D20000-0x0000000002D2E000-memory.dmp

Filesize
56KB

Download
memory/2384-17-0x0000000002D50000-0x0000000002D58000-memory.dmp

Filesize
32KB

Download
memory/2384-0-0x00007FFE642D3000-0x00007FFE642D5000-memory.dmp

Filesize
8KB

Download
memory/2384-3-0x000000001BAB0000-0x000000001BBDE000-memory.dmp

Filesize
1.2MB

Download
memory/2384-10-0x0000000002CE0000-0x0000000002CEA000-memory.dmp

Filesize
40KB

Download
memory/2384-11-0x0000000002D00000-0x0000000002D12000-memory.dmp

Filesize
72KB

Download
memory/2384-12-0x000000001C610000-0x000000001CB38000-memory.dmp

Filesize
5.2MB

Download
memory/2384-9-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/2384-1-0x00000000005E0000-0x0000000000AD4000-memory.dmp

Filesize
5.0MB

Download
memory/2384-4-0x0000000002C20000-0x0000000002C3C000-memory.dmp

Filesize
112KB

Download
memory/2384-5-0x0000000002C90000-0x0000000002CE0000-memory.dmp

Filesize
320KB

Download
memory/2384-6-0x0000000002C40000-0x0000000002C48000-memory.dmp

Filesize
32KB

Download
memory/2384-7-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/2384-15-0x0000000002D30000-0x0000000002D3E000-memory.dmp

Filesize
56KB

Download
memory/2484-208-0x0000022559330000-0x0000022559352000-memory.dmp

Filesize
136KB

Download
memory/4976-69-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download