f520de18c104871d561a706c63f656c82be4a1b884352d0855368ea101f7e4d7

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\F:	ProcessHacker.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ProcessHacker.exe

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File created	C:\Program Files\Process Hacker 2\plugins\is-6SN68.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\UserNotes.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-Q6A9N.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-CIP4S.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\plugins\is-ANI2J.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-KRDOJ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-TQ95F.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-2LDSQ.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\ProcessHacker.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-6I5PE.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-TDH3B.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-SMBOJ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-ECGS7.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-HCFBF.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\peview.exe	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\x86\is-KK5MJ.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-NTERI.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\unins000.dat	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-5THN7.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-HRDNH.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-OB1M3.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-DE5H0.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-P8UOS.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-0P6UF.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-S2P2L.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\is-56Q08.tmp	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll	processhacker-2.39-setup.tmp
File opened for modification	C:\Program Files\Process Hacker 2\plugins\Updater.dll	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-DMKGB.tmp	processhacker-2.39-setup.tmp
File created	C:\Program Files\Process Hacker 2\plugins\is-VKHEN.tmp	processhacker-2.39-setup.tmp

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\TrustedInstaller.exe	753d66621ae168b5968406b8c2ad1845f1c9bf42f47556e7646d14e8484adeb8.exe
File opened for modification	C:\Windows\TrustedInstaller.exe	753d66621ae168b5968406b8c2ad1845f1c9bf42f47556e7646d14e8484adeb8.exe
File created	C:\Windows\xdwd.dll	753d66621ae168b5968406b8c2ad1845f1c9bf42f47556e7646d14e8484adeb8.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	processhacker-2.39-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	processhacker-2.39-setup.tmp

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	ProcessHacker.exe

Checks processor information in registry 2 TTPs 29 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	ProcessHacker.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	ProcessHacker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	ProcessHacker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ProcessHacker.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\processhacker-2.39-setup.exe:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	firefox.exe
2876	firefox.exe
1736	firefox.exe
1736	firefox.exe
2704	firefox.exe
4528	processhacker-2.39-setup.tmp
4528	processhacker-2.39-setup.tmp
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5712	ProcessHacker.exe
5556	ProcessHacker.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	753d66621ae168b5968406b8c2ad1845f1c9bf42f47556e7646d14e8484adeb8.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	1736	firefox.exe
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	4528	processhacker-2.39-setup.tmp
Token: SeDebugPrivilege	5712	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	5712	ProcessHacker.exe
Token: 33	5712	ProcessHacker.exe
Token: SeLoadDriverPrivilege	5712	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	5712	ProcessHacker.exe
Token: SeRestorePrivilege	5712	ProcessHacker.exe
Token: SeShutdownPrivilege	5712	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	5712	ProcessHacker.exe
Token: SeDebugPrivilege	5712	ProcessHacker.exe
Token: SeDebugPrivilege	5712	ProcessHacker.exe
Token: SeDebugPrivilege	5556	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	5556	ProcessHacker.exe
Token: 33	5556	ProcessHacker.exe
Token: SeLoadDriverPrivilege	5556	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	5556	ProcessHacker.exe
Token: SeRestorePrivilege	5556	ProcessHacker.exe
Token: SeShutdownPrivilege	5556	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	5556	ProcessHacker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
4528	processhacker-2.39-setup.tmp
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1736	firefox.exe
1736	firefox.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5712	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe
5556	ProcessHacker.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe
1736	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 728	4856	753d66621ae168b5968406b8c2ad1845f1c9bf42f47556e7646d14e8484adeb8.exe	79
PID 4856 wrote to memory of 728	4856	753d66621ae168b5968406b8c2ad1845f1c9bf42f47556e7646d14e8484adeb8.exe	79
PID 728 wrote to memory of 3576	728	CMD.exe	81
PID 728 wrote to memory of 3576	728	CMD.exe	81
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 2876 wrote to memory of 1736	2876	firefox.exe	85
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2704	1736	firefox.exe	86
PID 1736 wrote to memory of 2516	1736	firefox.exe	87
PID 1736 wrote to memory of 2516	1736	firefox.exe	87
PID 1736 wrote to memory of 2516	1736	firefox.exe	87
PID 1736 wrote to memory of 2516	1736	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\753d66621ae168b5968406b8c2ad1845f1c9bf42f47556e7646d14e8484adeb8.exe
"C:\Users\Admin\AppData\Local\Temp\753d66621ae168b5968406b8c2ad1845f1c9bf42f47556e7646d14e8484adeb8.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "TrustedInstall" /tr "C:\Windows\TrustedInstaller.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "TrustedInstall" /tr "C:\Windows\TrustedInstaller.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1872 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d27e0a66-029e-472d-bbdb-a7d00371041b} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" gpu
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d903465f-5a19-4ba6-96c6-9f6e0e7e9694} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" socket
    3⤵
    - Checks processor information in registry
    PID:2516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3268 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3120 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4651f24-6e9c-408a-b62d-303215c4cfa2} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3804 -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {036b8d60-a03e-48a8-82e9-610b6f62cd6d} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4780 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4788 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83560db2-6542-4696-82cc-0406b4483e3c} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" utility
    3⤵
    - Checks processor information in registry
    PID:1896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2968 -childID 3 -isForBrowser -prefsHandle 2788 -prefMapHandle 3232 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cd1ef4e-781d-4ffb-a7f1-81f065bad041} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:5060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3292 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8747aeb3-3475-4ca6-8061-b5644d2007e3} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5596 -prefMapHandle 5608 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c970971a-468d-4f04-835e-7ca53dab26c0} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6120 -childID 6 -isForBrowser -prefsHandle 6132 -prefMapHandle 6128 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f153bf94-bfcf-4e3f-b296-1b952bc4bb64} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 7 -isForBrowser -prefsHandle 5568 -prefMapHandle 5560 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3252218-3c92-43a2-a1c0-c654cc7046b7} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:3112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6396 -childID 8 -isForBrowser -prefsHandle 6376 -prefMapHandle 3600 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26fe5752-d33f-40af-9c55-4b74107747d9} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6692 -childID 9 -isForBrowser -prefsHandle 6684 -prefMapHandle 6676 -prefsLen 27777 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0adbc645-89ea-4385-bc1f-2be4d1179e1c} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:1348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4536 -childID 10 -isForBrowser -prefsHandle 6828 -prefMapHandle 6832 -prefsLen 27777 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e94931ca-0184-424f-a0f5-924ea94454b1} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -childID 11 -isForBrowser -prefsHandle 5440 -prefMapHandle 5984 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {112de0ee-b954-480a-a035-42b494ca0f4e} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7108 -childID 12 -isForBrowser -prefsHandle 7116 -prefMapHandle 7120 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5850410-bfd4-44de-8b64-0eb730af7cb7} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7400 -childID 13 -isForBrowser -prefsHandle 7316 -prefMapHandle 7320 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b126c003-42c7-4637-9435-340cf61fe20f} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:3532
- - C:\Users\Admin\Downloads\processhacker-2.39-setup.exe
    "C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5208
  - - C:\Users\Admin\AppData\Local\Temp\is-UCLLU.tmp\processhacker-2.39-setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-UCLLU.tmp\processhacker-2.39-setup.tmp" /SL5="$80254,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4528
    - - C:\Program Files\Process Hacker 2\ProcessHacker.exe
        
        "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Checks system information in the registry
        Checks SCSI registry key(s)
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -childID 14 -isForBrowser -prefsHandle 5688 -prefMapHandle 5604 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24c0c2ca-b401-4a11-9dad-a601afc5ce7d} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:5196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6944 -childID 15 -isForBrowser -prefsHandle 3600 -prefMapHandle 7044 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8758bd4-f2ea-451f-99fc-f2938fef3cd2} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:6000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 16 -isForBrowser -prefsHandle 6816 -prefMapHandle 6964 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e4b53b0-83ab-4c2d-92a7-98aad86a711b} 1736 "\\.\pipe\gecko-crash-server-pipe.1736" tab
    3⤵
    PID:2984

C:\Program Files\Process Hacker 2\ProcessHacker.exe
"C:\Program Files\Process Hacker 2\ProcessHacker.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery