luminosity | e0c720e092c6c0265f3e2a37f0636a26a7fdefc6a49069c659dbe3c5e35aefd6

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	KMSpico_setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	KMSpico_setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	KMSpico_11_final_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Executes dropped EXE 7 IoCs

pid	Process
4028	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
3504	KMSpico_setup.exe
4740	KMSpico_setup.tmp
1928	KMSpico_setup.exe
5112	KMSpico_setup.tmp
4712	_setup.exe
3508	_setup.tmp

Loads dropped DLL 2 IoCs

pid	Process
4740	KMSpico_setup.tmp
5112	KMSpico_setup.tmp

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	KMSpico_11_final_setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	KMSpico_11_final_setup.exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	KMSpico_setup.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3584 set thread context of 3960	3584	KMSpico_11_final_setup.exe	85

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Update\ISUSPM.exe	KMSpico_setup.tmp
File created	C:\Program Files (x86)\Common Files\InstallShield\Update\is-PPL6R.tmp	KMSpico_setup.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
File created	C:\Windows\assembly\Desktop.ini	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2728	sc.exe
792	sc.exe
3476	sc.exe
3340	sc.exe
1416	sc.exe
1368	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1484	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4580	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	KMSpico_setup.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4028	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
5112	KMSpico_setup.tmp
5112	KMSpico_setup.tmp

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3584	KMSpico_11_final_setup.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	KMSpico_11_final_setup.exe
Token: SeDebugPrivilege	4028	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
Token: SeDebugPrivilege	4580	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5112	KMSpico_setup.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 3960	3584	KMSpico_11_final_setup.exe	85
PID 3584 wrote to memory of 3960	3584	KMSpico_11_final_setup.exe	85
PID 3584 wrote to memory of 3960	3584	KMSpico_11_final_setup.exe	85
PID 3584 wrote to memory of 3960	3584	KMSpico_11_final_setup.exe	85
PID 3584 wrote to memory of 4028	3584	KMSpico_11_final_setup.exe	86
PID 3584 wrote to memory of 4028	3584	KMSpico_11_final_setup.exe	86
PID 4028 wrote to memory of 4792	4028	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe	88
PID 4028 wrote to memory of 4792	4028	a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe	88
PID 4792 wrote to memory of 3504	4792	WScript.exe	89
PID 4792 wrote to memory of 3504	4792	WScript.exe	89
PID 4792 wrote to memory of 3504	4792	WScript.exe	89
PID 3504 wrote to memory of 4740	3504	KMSpico_setup.exe	90
PID 3504 wrote to memory of 4740	3504	KMSpico_setup.exe	90
PID 3504 wrote to memory of 4740	3504	KMSpico_setup.exe	90
PID 4740 wrote to memory of 1928	4740	KMSpico_setup.tmp	91
PID 4740 wrote to memory of 1928	4740	KMSpico_setup.tmp	91
PID 4740 wrote to memory of 1928	4740	KMSpico_setup.tmp	91
PID 1928 wrote to memory of 5112	1928	KMSpico_setup.exe	92
PID 1928 wrote to memory of 5112	1928	KMSpico_setup.exe	92
PID 1928 wrote to memory of 5112	1928	KMSpico_setup.exe	92
PID 5112 wrote to memory of 4580	5112	KMSpico_setup.tmp	93
PID 5112 wrote to memory of 4580	5112	KMSpico_setup.tmp	93
PID 5112 wrote to memory of 4580	5112	KMSpico_setup.tmp	93
PID 5112 wrote to memory of 264	5112	KMSpico_setup.tmp	95
PID 5112 wrote to memory of 264	5112	KMSpico_setup.tmp	95
PID 5112 wrote to memory of 264	5112	KMSpico_setup.tmp	95
PID 5112 wrote to memory of 2444	5112	KMSpico_setup.tmp	97
PID 5112 wrote to memory of 2444	5112	KMSpico_setup.tmp	97
PID 5112 wrote to memory of 2444	5112	KMSpico_setup.tmp	97
PID 5112 wrote to memory of 1368	5112	KMSpico_setup.tmp	98
PID 5112 wrote to memory of 1368	5112	KMSpico_setup.tmp	98
PID 5112 wrote to memory of 1368	5112	KMSpico_setup.tmp	98
PID 5112 wrote to memory of 2728	5112	KMSpico_setup.tmp	100
PID 5112 wrote to memory of 2728	5112	KMSpico_setup.tmp	100
PID 5112 wrote to memory of 2728	5112	KMSpico_setup.tmp	100
PID 5112 wrote to memory of 792	5112	KMSpico_setup.tmp	102
PID 5112 wrote to memory of 792	5112	KMSpico_setup.tmp	102
PID 5112 wrote to memory of 792	5112	KMSpico_setup.tmp	102
PID 2444 wrote to memory of 3572	2444	WScript.exe	104
PID 2444 wrote to memory of 3572	2444	WScript.exe	104
PID 2444 wrote to memory of 3572	2444	WScript.exe	104
PID 5112 wrote to memory of 3476	5112	KMSpico_setup.tmp	105
PID 5112 wrote to memory of 3476	5112	KMSpico_setup.tmp	105
PID 5112 wrote to memory of 3476	5112	KMSpico_setup.tmp	105
PID 5112 wrote to memory of 3340	5112	KMSpico_setup.tmp	108
PID 5112 wrote to memory of 3340	5112	KMSpico_setup.tmp	108
PID 5112 wrote to memory of 3340	5112	KMSpico_setup.tmp	108
PID 3572 wrote to memory of 708	3572	cmd.exe	109
PID 3572 wrote to memory of 708	3572	cmd.exe	109
PID 3572 wrote to memory of 708	3572	cmd.exe	109
PID 5112 wrote to memory of 1416	5112	KMSpico_setup.tmp	111
PID 5112 wrote to memory of 1416	5112	KMSpico_setup.tmp	111
PID 5112 wrote to memory of 1416	5112	KMSpico_setup.tmp	111
PID 2444 wrote to memory of 4116	2444	WScript.exe	113
PID 2444 wrote to memory of 4116	2444	WScript.exe	113
PID 2444 wrote to memory of 4116	2444	WScript.exe	113
PID 5112 wrote to memory of 2064	5112	KMSpico_setup.tmp	115
PID 5112 wrote to memory of 2064	5112	KMSpico_setup.tmp	115
PID 5112 wrote to memory of 2064	5112	KMSpico_setup.tmp	115
PID 4116 wrote to memory of 2208	4116	cmd.exe	117
PID 4116 wrote to memory of 2208	4116	cmd.exe	117
PID 4116 wrote to memory of 2208	4116	cmd.exe	117
PID 2444 wrote to memory of 3852	2444	WScript.exe	118
PID 2444 wrote to memory of 3852	2444	WScript.exe	118

C:\Users\Admin\AppData\Local\Temp\KMSpico_11_final_setup.exe
"C:\Users\Admin\AppData\Local\Temp\KMSpico_11_final_setup.exe"
1⤵
- Luminosity
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\KMSpico_11_final_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\KMSpico_11_final_setup.exe"
  2⤵
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe
  "C:\Users\Admin\AppData\Local\Temp\a5a8c2dc-878f-4b7b-b58c-0dc250e9930c.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\125665993.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe
      "C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Users\Admin\AppData\Local\Temp\is-4C4LI.tmp\KMSpico_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4C4LI.tmp\KMSpico_setup.tmp" /SL5="$2021A,3598500,122880,C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\is-T82S0.tmp\KMSpico_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-T82S0.tmp\KMSpico_setup.tmp" /SL5="$30224,3598500,122880,C:\Users\Admin\AppData\Local\Temp\5e57de42-5fb2-46fd-a0ff-879f70c92e61\KMSpico_setup.exe" /VERYSILENT
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill.exe" /f /im "ISUSPM.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /delete /tn * /f
        8⤵
        
        PID:264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\is-5S3M7.tmp\netisolation.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy
        10⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=ActiveSync
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=ActiveSync
        10⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy
        9⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy
        10⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy
        9⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy
        10⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy
        9⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy
        10⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
        9⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
        10⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.AccountsControl_cw5n1h2txyewy
        9⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.AccountsControl_cw5n1h2txyewy
        10⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.AsyncTextService_8wekyb3d8bbwe
        9⤵
        
        PID:548
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.AsyncTextService_8wekyb3d8bbwe
        10⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.BioEnrollment_cw5n1h2txyewy
        9⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.BioEnrollment_cw5n1h2txyewy
        10⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.CredDialogHost_cw5n1h2txyewy
        9⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.CredDialogHost_cw5n1h2txyewy
        10⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.ECApp_8wekyb3d8bbwe
        9⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.ECApp_8wekyb3d8bbwe
        10⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.LockApp_cw5n1h2txyewy
        9⤵
        
        PID:772
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.LockApp_cw5n1h2txyewy
        10⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe
        9⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe
        10⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
        9⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
        10⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.VCLibs.140.00_8wekyb3d8bbwe
        9⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.VCLibs.140.00_8wekyb3d8bbwe
        10⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Win32WebViewHost_cw5n1h2txyewy
        9⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Win32WebViewHost_cw5n1h2txyewy
        10⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy
        9⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy
        10⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy
        9⤵
        
        PID:792
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy
        10⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.CallingShellApp_cw5n1h2txyewy
        9⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.CallingShellApp_cw5n1h2txyewy
        10⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.CapturePicker_cw5n1h2txyewy
        9⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.CapturePicker_cw5n1h2txyewy
        10⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy
        9⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy
        10⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
        9⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
        10⤵
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe
        9⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe
        10⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy
        9⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy
        10⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy
        9⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy
        10⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.ParentalControls_cw5n1h2txyewy
        9⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.ParentalControls_cw5n1h2txyewy
        10⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy
        9⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy
        10⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy
        9⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.PinningConfirmationDialog_cw5n1h2txyewy
        10⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.Search_cw5n1h2txyewy
        9⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.Search_cw5n1h2txyewy
        10⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy
        9⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy
        10⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy
        9⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy
        10⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
        9⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
        10⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy
        9⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy
        10⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.XboxGameCallableUI_cw5n1h2txyewy
        9⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Microsoft.XboxGameCallableUI_cw5n1h2txyewy
        10⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=MicrosoftWindows.Client.CBS_cw5n1h2txyewy
        9⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=MicrosoftWindows.Client.CBS_cw5n1h2txyewy
        10⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy
        9⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy
        10⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=NcsiUwpApp_8wekyb3d8bbwe
        9⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=NcsiUwpApp_8wekyb3d8bbwe
        10⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Windows.CBSPreview_cw5n1h2txyewy
        9⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Windows.CBSPreview_cw5n1h2txyewy
        10⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=windows.immersivecontrolpanel_cw5n1h2txyewy
        9⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=windows.immersivecontrolpanel_cw5n1h2txyewy
        10⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=Windows.PrintDialog_cw5n1h2txyewy
        9⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=Windows.PrintDialog_cw5n1h2txyewy
        10⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c CheckNetIsolation.exe LoopbackExempt -a -n=windows_ie_ac_001
        9⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation.exe LoopbackExempt -a -n=windows_ie_ac_001
        10⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete isupdate.exe
        8⤵
        Launches sc.exe
        
        PID:1368
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete ISUSPM.exe
        8⤵
        Launches sc.exe
        
        PID:2728
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete msiupd.exe
        8⤵
        Launches sc.exe
        
        PID:792
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete router.exe
        8⤵
        Launches sc.exe
        
        PID:3476
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete Updater.exe
        8⤵
        Launches sc.exe
        
        PID:3340
        
        C:\Windows\SysWOW64\sc.exe
        
        "sc.exe" delete updatesvc.exe
        8⤵
        Launches sc.exe
        
        PID:1416
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /F /SC ONLOGON /RL HIGHEST /TN "InstallShield® Update Service Scheduler" /TR "'C:\Program Files (x86)\Common Files\InstallShield\Update\ISUSPM.exe'"
        8⤵
        Luminosity
        
        PID:2064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /F /SC WEEKLY /D WED,SUN /ST 12:00 /RL HIGHEST /TN "Optimize Thumbnail Cache Files" /TR "wscript.exe //nologo //E:jscript //B C:\ProgramData\InstallShield\Update\isuspm.ini"
        8⤵
        Luminosity
        Creates scheduled task(s)
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\is-5S3M7.tmp\_setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5S3M7.tmp\_setup.exe"
        8⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\is-NPPB9.tmp\_setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NPPB9.tmp\_setup.tmp" /SL5="$90260,2952592,69120,C:\Users\Admin\AppData\Local\Temp\is-5S3M7.tmp\_setup.exe"
        9⤵
        Executes dropped EXE
        
        PID:3508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery