colibri | 486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28

Analysis

max time kernel
118s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Size

4.9MB
MD5

674e323ec8e3abd5ffcb9ebbaec24d40
SHA1

2d6725a34476c325783b680e6d994ac62b659409
SHA256

486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28
SHA512

452f7149cc2b016bd0b230e0aabb6bcfabb474e3a0da9a906b8a458e42992f2ce30bf4d9c4cd5dbdd0c5fc24d77565b4ae29603faf6fbd71d220dc79017c1a0b
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	5000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	5000	schtasks.exe

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sppsvc.exesppsvc.exe486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2496-2-0x000000001B720000-0x000000001B84E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3740	powershell.exe
4572	powershell.exe
4484	powershell.exe
4220	powershell.exe
4708	powershell.exe
3416	powershell.exe
4900	powershell.exe
1824	powershell.exe
5012	powershell.exe
2580	powershell.exe
3124	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 37 IoCs

Processes:

tmp73DE.tmp.exetmp73DE.tmp.exesppsvc.exetmpA192.tmp.exetmpA192.tmp.exesppsvc.exetmpC1CC.tmp.exetmpC1CC.tmp.exesppsvc.exesppsvc.exetmp5C.tmp.exetmp5C.tmp.exesppsvc.exetmp35E3.tmp.exetmp35E3.tmp.exetmp35E3.tmp.exetmp35E3.tmp.exetmp35E3.tmp.exesppsvc.exetmp5438.tmp.exetmp5438.tmp.exesppsvc.exetmp8DE6.tmp.exetmp8DE6.tmp.exesppsvc.exetmpAE20.tmp.exetmpAE20.tmp.exesppsvc.exetmpCC66.tmp.exetmpCC66.tmp.exetmpCC66.tmp.exesppsvc.exetmpEC42.tmp.exetmpEC42.tmp.exesppsvc.exetmp212D.tmp.exetmp212D.tmp.exe

pid	process
3948	tmp73DE.tmp.exe
1424	tmp73DE.tmp.exe
5384	sppsvc.exe
5772	tmpA192.tmp.exe
5848	tmpA192.tmp.exe
5992	sppsvc.exe
4804	tmpC1CC.tmp.exe
1480	tmpC1CC.tmp.exe
4380	sppsvc.exe
952	sppsvc.exe
2116	tmp5C.tmp.exe
3544	tmp5C.tmp.exe
4628	sppsvc.exe
5784	tmp35E3.tmp.exe
3876	tmp35E3.tmp.exe
5240	tmp35E3.tmp.exe
4012	tmp35E3.tmp.exe
2084	tmp35E3.tmp.exe
5656	sppsvc.exe
6068	tmp5438.tmp.exe
2996	tmp5438.tmp.exe
6072	sppsvc.exe
4408	tmp8DE6.tmp.exe
1676	tmp8DE6.tmp.exe
3624	sppsvc.exe
5012	tmpAE20.tmp.exe
2184	tmpAE20.tmp.exe
2116	sppsvc.exe
5668	tmpCC66.tmp.exe
1708	tmpCC66.tmp.exe
3876	tmpCC66.tmp.exe
5328	sppsvc.exe
2788	tmpEC42.tmp.exe
6092	tmpEC42.tmp.exe
5132	sppsvc.exe
5692	tmp212D.tmp.exe
2432	tmp212D.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

tmp73DE.tmp.exetmpA192.tmp.exetmpC1CC.tmp.exetmp5C.tmp.exetmp35E3.tmp.exetmp5438.tmp.exetmp8DE6.tmp.exetmpAE20.tmp.exetmpCC66.tmp.exetmpEC42.tmp.exetmp212D.tmp.exe

description	pid	process	target process
PID 3948 set thread context of 1424	3948	tmp73DE.tmp.exe	tmp73DE.tmp.exe
PID 5772 set thread context of 5848	5772	tmpA192.tmp.exe	tmpA192.tmp.exe
PID 4804 set thread context of 1480	4804	tmpC1CC.tmp.exe	tmpC1CC.tmp.exe
PID 2116 set thread context of 3544	2116	tmp5C.tmp.exe	tmp5C.tmp.exe
PID 4012 set thread context of 2084	4012	tmp35E3.tmp.exe	tmp35E3.tmp.exe
PID 6068 set thread context of 2996	6068	tmp5438.tmp.exe	tmp5438.tmp.exe
PID 4408 set thread context of 1676	4408	tmp8DE6.tmp.exe	tmp8DE6.tmp.exe
PID 5012 set thread context of 2184	5012	tmpAE20.tmp.exe	tmpAE20.tmp.exe
PID 1708 set thread context of 3876	1708	tmpCC66.tmp.exe	tmpCC66.tmp.exe
PID 2788 set thread context of 6092	2788	tmpEC42.tmp.exe	tmpEC42.tmp.exe
PID 5692 set thread context of 2432	5692	tmp212D.tmp.exe	tmp212D.tmp.exe

Drops file in Program Files directory 4 IoCs

Processes:

486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\5940a34987c991	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX712C.tmp	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Program Files (x86)\Windows Sidebar\dllhost.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\dllhost.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe

Drops file in Windows directory 4 IoCs

Processes:

486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe

description	ioc	process
File opened for modification	C:\Windows\es-ES\RuntimeBroker.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Windows\es-ES\RuntimeBroker.exe	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File created	C:\Windows\es-ES\9e8d7a4ca61bd9	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
File opened for modification	C:\Windows\es-ES\RCX798E.tmp	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpC1CC.tmp.exetmpCC66.tmp.exetmpEC42.tmp.exetmp212D.tmp.exetmpA192.tmp.exetmp5438.tmp.exetmpCC66.tmp.exetmp35E3.tmp.exetmp8DE6.tmp.exetmp73DE.tmp.exetmp35E3.tmp.exetmp35E3.tmp.exetmp35E3.tmp.exetmpAE20.tmp.exetmp5C.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC1CC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCC66.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEC42.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp212D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA192.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5438.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCC66.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp35E3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8DE6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp73DE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp35E3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp35E3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp35E3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAE20.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5C.tmp.exe

Modifies registry class 12 IoCs

Processes:

sppsvc.exe486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3048	schtasks.exe
3064	schtasks.exe
4604	schtasks.exe
1444	schtasks.exe
3532	schtasks.exe
5052	schtasks.exe
1152	schtasks.exe
1776	schtasks.exe
344	schtasks.exe
4292	schtasks.exe
1740	schtasks.exe
224	schtasks.exe
1676	schtasks.exe
3472	schtasks.exe
3720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	process
2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
4220	powershell.exe
4220	powershell.exe
4484	powershell.exe
4484	powershell.exe
5012	powershell.exe
5012	powershell.exe
3416	powershell.exe
3416	powershell.exe
4708	powershell.exe
4708	powershell.exe
4572	powershell.exe
4572	powershell.exe
3124	powershell.exe
3124	powershell.exe
2580	powershell.exe
2580	powershell.exe
1824	powershell.exe
1824	powershell.exe
3740	powershell.exe
3740	powershell.exe
4900	powershell.exe
4900	powershell.exe
3416	powershell.exe
4708	powershell.exe
2580	powershell.exe
4220	powershell.exe
4484	powershell.exe
1824	powershell.exe
4572	powershell.exe
3740	powershell.exe
3124	powershell.exe
5012	powershell.exe
4900	powershell.exe
5384	sppsvc.exe
5992	sppsvc.exe
5992	sppsvc.exe
4380	sppsvc.exe
4380	sppsvc.exe
952	sppsvc.exe
952	sppsvc.exe
4628	sppsvc.exe
4628	sppsvc.exe
5656	sppsvc.exe
5656	sppsvc.exe
6072	sppsvc.exe
6072	sppsvc.exe
3624	sppsvc.exe
3624	sppsvc.exe
2116	sppsvc.exe
2116	sppsvc.exe
5328	sppsvc.exe
5328	sppsvc.exe
5132	sppsvc.exe
5132	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	5384	sppsvc.exe
Token: SeDebugPrivilege	5992	sppsvc.exe
Token: SeDebugPrivilege	4380	sppsvc.exe
Token: SeDebugPrivilege	952	sppsvc.exe
Token: SeDebugPrivilege	4628	sppsvc.exe
Token: SeDebugPrivilege	5656	sppsvc.exe
Token: SeDebugPrivilege	6072	sppsvc.exe
Token: SeDebugPrivilege	3624	sppsvc.exe
Token: SeDebugPrivilege	2116	sppsvc.exe
Token: SeDebugPrivilege	5328	sppsvc.exe
Token: SeDebugPrivilege	5132	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exetmp73DE.tmp.execmd.exesppsvc.exetmpA192.tmp.exeWScript.exesppsvc.exetmpC1CC.tmp.exe

description	pid	process	target process
PID 2496 wrote to memory of 3948	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	tmp73DE.tmp.exe
PID 2496 wrote to memory of 3948	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	tmp73DE.tmp.exe
PID 2496 wrote to memory of 3948	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	tmp73DE.tmp.exe
PID 3948 wrote to memory of 1424	3948	tmp73DE.tmp.exe	tmp73DE.tmp.exe
PID 3948 wrote to memory of 1424	3948	tmp73DE.tmp.exe	tmp73DE.tmp.exe
PID 3948 wrote to memory of 1424	3948	tmp73DE.tmp.exe	tmp73DE.tmp.exe
PID 3948 wrote to memory of 1424	3948	tmp73DE.tmp.exe	tmp73DE.tmp.exe
PID 3948 wrote to memory of 1424	3948	tmp73DE.tmp.exe	tmp73DE.tmp.exe
PID 3948 wrote to memory of 1424	3948	tmp73DE.tmp.exe	tmp73DE.tmp.exe
PID 3948 wrote to memory of 1424	3948	tmp73DE.tmp.exe	tmp73DE.tmp.exe
PID 2496 wrote to memory of 5012	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 5012	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 4484	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 4484	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 1824	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 1824	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 4900	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 4900	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 4572	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 4572	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 3740	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 3740	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 3416	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 3416	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 4708	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 4708	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 3124	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 3124	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 4220	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 4220	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 2580	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 2580	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	powershell.exe
PID 2496 wrote to memory of 1992	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	cmd.exe
PID 2496 wrote to memory of 1992	2496	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe	cmd.exe
PID 1992 wrote to memory of 512	1992	cmd.exe	w32tm.exe
PID 1992 wrote to memory of 512	1992	cmd.exe	w32tm.exe
PID 1992 wrote to memory of 5384	1992	cmd.exe	sppsvc.exe
PID 1992 wrote to memory of 5384	1992	cmd.exe	sppsvc.exe
PID 5384 wrote to memory of 5636	5384	sppsvc.exe	WScript.exe
PID 5384 wrote to memory of 5636	5384	sppsvc.exe	WScript.exe
PID 5384 wrote to memory of 5684	5384	sppsvc.exe	WScript.exe
PID 5384 wrote to memory of 5684	5384	sppsvc.exe	WScript.exe
PID 5384 wrote to memory of 5772	5384	sppsvc.exe	tmpA192.tmp.exe
PID 5384 wrote to memory of 5772	5384	sppsvc.exe	tmpA192.tmp.exe
PID 5384 wrote to memory of 5772	5384	sppsvc.exe	tmpA192.tmp.exe
PID 5772 wrote to memory of 5848	5772	tmpA192.tmp.exe	tmpA192.tmp.exe
PID 5772 wrote to memory of 5848	5772	tmpA192.tmp.exe	tmpA192.tmp.exe
PID 5772 wrote to memory of 5848	5772	tmpA192.tmp.exe	tmpA192.tmp.exe
PID 5772 wrote to memory of 5848	5772	tmpA192.tmp.exe	tmpA192.tmp.exe
PID 5772 wrote to memory of 5848	5772	tmpA192.tmp.exe	tmpA192.tmp.exe
PID 5772 wrote to memory of 5848	5772	tmpA192.tmp.exe	tmpA192.tmp.exe
PID 5772 wrote to memory of 5848	5772	tmpA192.tmp.exe	tmpA192.tmp.exe
PID 5636 wrote to memory of 5992	5636	WScript.exe	sppsvc.exe
PID 5636 wrote to memory of 5992	5636	WScript.exe	sppsvc.exe
PID 5992 wrote to memory of 6128	5992	sppsvc.exe	WScript.exe
PID 5992 wrote to memory of 6128	5992	sppsvc.exe	WScript.exe
PID 5992 wrote to memory of 1488	5992	sppsvc.exe	WScript.exe
PID 5992 wrote to memory of 1488	5992	sppsvc.exe	WScript.exe
PID 5992 wrote to memory of 4804	5992	sppsvc.exe	tmpC1CC.tmp.exe
PID 5992 wrote to memory of 4804	5992	sppsvc.exe	tmpC1CC.tmp.exe
PID 5992 wrote to memory of 4804	5992	sppsvc.exe	tmpC1CC.tmp.exe
PID 4804 wrote to memory of 1480	4804	tmpC1CC.tmp.exe	tmpC1CC.tmp.exe
PID 4804 wrote to memory of 1480	4804	tmpC1CC.tmp.exe	tmpC1CC.tmp.exe
PID 4804 wrote to memory of 1480	4804	tmpC1CC.tmp.exe	tmpC1CC.tmp.exe

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe
"C:\Users\Admin\AppData\Local\Temp\486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2496

C:\Users\Admin\AppData\Local\Temp\tmp73DE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp73DE.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\tmp73DE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp73DE.tmp.exe"
3⤵
- Executes dropped EXE
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zt3JT3T8RF.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:512

C:\Recovery\WindowsRE\sppsvc.exe
"C:\Recovery\WindowsRE\sppsvc.exe"
3⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5384

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90684284-e6a9-4d31-9bb7-6734d18239cd.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:5636

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49f5f190-673e-4765-8ab4-cc159ed28d8c.vbs"
6⤵
PID:6128

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fad46d54-1b62-413f-afe8-8d5bcd3aa6f4.vbs"
8⤵
PID:4140

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a459423-ff59-407a-851f-26eb97ee78f7.vbs"
10⤵
PID:4184

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4628

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38f98eef-14fa-4b23-9e8b-a0d2ab56e781.vbs"
12⤵
PID:3612

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5656

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9223fdef-424b-4863-abfa-b085fc0c8c4b.vbs"
14⤵
PID:5772

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
15⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:6072

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fcbb9f6-0bf9-4a6b-ba35-9a8898fef63d.vbs"
16⤵
PID:5016

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
17⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3624

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6cf0fca-4bd1-4dfa-9b12-a96b9c21f882.vbs"
18⤵
PID:3280

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
19⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2116

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82705076-05fe-4d83-be65-7767ddae1fbc.vbs"
20⤵
PID:2312

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
21⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5328

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db5494ac-507f-41f0-a675-cf0c8924d652.vbs"
22⤵
PID:5856

C:\Recovery\WindowsRE\sppsvc.exe
C:\Recovery\WindowsRE\sppsvc.exe
23⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5132

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0e1b211-10f3-44b7-ab47-0155b15ff5a5.vbs"
24⤵
PID:3576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a69294f-5833-45b3-ac52-af5dc517c238.vbs"
24⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\tmp212D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp212D.tmp.exe"
24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5692

C:\Users\Admin\AppData\Local\Temp\tmp212D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp212D.tmp.exe"
25⤵
- Executes dropped EXE
PID:2432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab2b0bb0-2eb4-40b4-ae24-fd89f4e2cd5a.vbs"
22⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\tmpEC42.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpEC42.tmp.exe"
22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2788

C:\Users\Admin\AppData\Local\Temp\tmpEC42.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpEC42.tmp.exe"
23⤵
- Executes dropped EXE
PID:6092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44fc661c-8cb9-466f-a56f-ca07dfbc3575.vbs"
20⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\tmpCC66.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCC66.tmp.exe"
20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5668

C:\Users\Admin\AppData\Local\Temp\tmpCC66.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCC66.tmp.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1708

C:\Users\Admin\AppData\Local\Temp\tmpCC66.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCC66.tmp.exe"
22⤵
- Executes dropped EXE
PID:3876

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b74b86f0-e1d7-4cb6-a3f0-2409b92f4bc9.vbs"
18⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\tmpAE20.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAE20.tmp.exe"
18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5012

C:\Users\Admin\AppData\Local\Temp\tmpAE20.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpAE20.tmp.exe"
19⤵
- Executes dropped EXE
PID:2184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71a4ea38-81da-440b-882b-6dcb3ca47847.vbs"
16⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\tmp8DE6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8DE6.tmp.exe"
16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4408

C:\Users\Admin\AppData\Local\Temp\tmp8DE6.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8DE6.tmp.exe"
17⤵
- Executes dropped EXE
PID:1676

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3595b5c5-1b26-49f9-9a97-578233957c7d.vbs"
14⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\tmp5438.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5438.tmp.exe"
14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6068

C:\Users\Admin\AppData\Local\Temp\tmp5438.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5438.tmp.exe"
15⤵
- Executes dropped EXE
PID:2996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcddcdd4-ad52-4772-9231-fa810f0c322a.vbs"
12⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\tmp35E3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp35E3.tmp.exe"
12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5784

C:\Users\Admin\AppData\Local\Temp\tmp35E3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp35E3.tmp.exe"
13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3876

C:\Users\Admin\AppData\Local\Temp\tmp35E3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp35E3.tmp.exe"
14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5240

C:\Users\Admin\AppData\Local\Temp\tmp35E3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp35E3.tmp.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4012

C:\Users\Admin\AppData\Local\Temp\tmp35E3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp35E3.tmp.exe"
16⤵
- Executes dropped EXE
PID:2084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aafc43fe-4da9-4a8d-988d-440a258a94e5.vbs"
10⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\tmp5C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5C.tmp.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2116

C:\Users\Admin\AppData\Local\Temp\tmp5C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5C.tmp.exe"
11⤵
- Executes dropped EXE
PID:3544

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3410148e-c82b-4766-b316-b5b82c395584.vbs"
8⤵
PID:2588

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\115d35e4-5f1e-4f99-ba1c-5485733d3f6c.vbs"
6⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\tmpC1CC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC1CC.tmp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\tmpC1CC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC1CC.tmp.exe"
7⤵
- Executes dropped EXE
PID:1480

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2ac3b02-e26b-4594-b7f3-afd07578007c.vbs"
4⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\tmpA192.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA192.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5772

C:\Users\Admin\AppData\Local\Temp\tmpA192.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA192.tmp.exe"
5⤵
- Executes dropped EXE
PID:5848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Public\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4508,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log
Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\354a6e01fa79f64f96355722f81961fb13b487be.exe
Filesize
4.9MB

MD5
21822a5eae033d6683d9ba6df4d12b74

SHA1
afe149ef0212fc7e4a4eff5500dd726be28f9f82

SHA256
792f10989bd959a694fe3f47c4d2da734ce95d52e9115fcc5a6ab9f71f91c42a

SHA512
66bb4a0f00a30da8e4f1edd1af19f38b388baca8e9a88a4cd2c19602945e180e6b780dcfc305c55b91597a758926a10a4beb84ab354d27e1797bddebc6fd31b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\38f98eef-14fa-4b23-9e8b-a0d2ab56e781.vbs
Filesize
708B

MD5
806ffc7e47cdde456d5fbe0be4181ebc

SHA1
5bcf976dd4c0b0930d30a9df258952ba04ca154a

SHA256
4e93e8bc0aa0d98378502f5efc39928d87d35f94d1ae9397898bb91eca787f92

SHA512
54cde18fa1bc18022a8c8f837cdd55e9d661317f08ee1c2dd349f039c8a00cb7895929e049bf3909957068d0a1bd216befb33cf20dcf8f701361dbb1302cae32

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a459423-ff59-407a-851f-26eb97ee78f7.vbs
Filesize
707B

MD5
45a32819b7b81b7c09ca5244605cfbb4

SHA1
8cb050aac0b5bae922d9b3a6fd37789dce4210ef

SHA256
89def201492a9c6cc219a6146e7f00f25ca691a602aed1bd8e74d824a984c83b

SHA512
8695be6d4a8eb0d369f073be7c31c4244f03a4aeea8ccf4e4ce1b378427e019803ac6a6aa497d9b49b308518c317074efbdb2b7bcc5d349e39896590820cd4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\49f5f190-673e-4765-8ab4-cc159ed28d8c.vbs
Filesize
708B

MD5
31692117cdab4b58f5de5d45b98d1ac8

SHA1
3f085b0ded6f499951177ef3c6e73d87cfc05856

SHA256
7d328fe6be7e4aee24c20affd99a45f7bda03e3ab690c069ab7656e7b64c0a78

SHA512
586ab20be1b81e49f41c9aa3ec288889ce3fa52c4cb615b47b7b96d31f57bc545e1c2b38b81464c5986690a642c81a3430934c1eb96edc6d9ab82db0bbb70924

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fcbb9f6-0bf9-4a6b-ba35-9a8898fef63d.vbs
Filesize
708B

MD5
cb2fe9c9ad4f075491c0d5e1f7a2d539

SHA1
4212267086688a5e1d5d13096e2c1f698559854c

SHA256
915b3bf515b983a58884642cc6b793f8aa829f60fc83738427ba9e4cb51be77d

SHA512
85b14726dbc8db1f674b9d1f59cf5e01851feb5100a1b9f12bf7952dd138ddd41a9720e55de94f25025a67ba3d773b5eecdaeca180848aabd80cfbbb6e67e185

Download Submit
C:\Users\Admin\AppData\Local\Temp\90684284-e6a9-4d31-9bb7-6734d18239cd.vbs
Filesize
708B

MD5
79f103a3103727bbfe1e67b30427765f

SHA1
08a7ec67b18dbdbd3799e50203b13b433d04b385

SHA256
b48dbb01c5215d6d8c5abb08cc37a1ff7765e3288aa1617c0535a8d7b2c277ef

SHA512
deb1bbadfe09b66beb53d99ae68eef4df48f550d6e5922c82289a3efad64bd3a4b24b79901f9565d34a5cb636718fda531d7d55391aa17d215e49f776801151c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9223fdef-424b-4863-abfa-b085fc0c8c4b.vbs
Filesize
708B

MD5
bc4dd43eadf97af7600e980289d041ca

SHA1
e6f542efd0602695b84907612d8948f64908992b

SHA256
47cb6d450835aba090cf59ea75fad6bafa760e1cdd63aefab14a6f834b594cbf

SHA512
d946d8ed74ff9798eeef9fb07c5386138eae3fada3eec68a455800ef67622515c3c4c8d34a4aa8e74cd0753444082d5b8b8525603ad8d996bbd45714526e1279

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5j4wmggl.lp0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2ac3b02-e26b-4594-b7f3-afd07578007c.vbs
Filesize
484B

MD5
412fc4ada5a748692f950ed12cddf00c

SHA1
f4b7fedec6a9caf5e9c3c9d9b05f9bf5549dd7c0

SHA256
33ce7266255d141f503312bd02c81ff667f152b4f1fac91fc941994f324b7e1c

SHA512
d79fdff530f8f1a41906b92911af5122bc779934c94ef467dcf9b53708639642a2bb9d6af1fe8f260e460703408c88f4c0663f4f1e8276a201e03f43800259b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fad46d54-1b62-413f-afe8-8d5bcd3aa6f4.vbs
Filesize
708B

MD5
49e604570318fa6655288a9da11cbe05

SHA1
76ed5fd424d9d665f9e06676150f63477453ee16

SHA256
8ed0f304160df5f6ca5c1682fb1481750ef7adc78c2c906f2d999e0d485452a9

SHA512
516d7d5e98668cb1a1adf731b3674dd155c0ab0d3da3ec06cb8dfa9720af9edbf73083c0aec5c0ce4a5271355badd177fbe11ed8f078d90563f18915a924ec73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp73DE.tmp.exe
Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zt3JT3T8RF.bat
Filesize
197B

MD5
db9197a463fcd9c4d322e6bef9612173

SHA1
57d57020c7b535d16028055e3d25b393de5f3d40

SHA256
1c69dc552c5b9d7469c96cf9a3099e3dbc73272361fba958d0e301e4a374d7ab

SHA512
4b0ba402a8e8ce06d5319694eeed50f366ef42e711e62cbba37b786995c3a83fd0d247ab6cc6c9e990d5425aa9b46d9adfbc4512395974e3f84dd97a0a59849e

Download Submit
C:\Windows\es-ES\RuntimeBroker.exe
Filesize
4.9MB

MD5
674e323ec8e3abd5ffcb9ebbaec24d40

SHA1
2d6725a34476c325783b680e6d994ac62b659409

SHA256
486f31da577a1addb7ac8ba5612de1a2c71cbc973867eefea40c0c1af361bc28

SHA512
452f7149cc2b016bd0b230e0aabb6bcfabb474e3a0da9a906b8a458e42992f2ce30bf4d9c4cd5dbdd0c5fc24d77565b4ae29603faf6fbd71d220dc79017c1a0b

Download Submit
memory/1424-62-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2496-11-0x000000001B550000-0x000000001B562000-memory.dmp

Filesize
72KB

Download
memory/2496-8-0x0000000002A30000-0x0000000002A46000-memory.dmp

Filesize
88KB

Download
memory/2496-83-0x00007FF9478F0000-0x00007FF9483B1000-memory.dmp

Filesize
10.8MB

Download
memory/2496-18-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/2496-17-0x000000001B5F0000-0x000000001B5F8000-memory.dmp

Filesize
32KB

Download
memory/2496-16-0x000000001B5E0000-0x000000001B5E8000-memory.dmp

Filesize
32KB

Download
memory/2496-14-0x000000001B570000-0x000000001B57E000-memory.dmp

Filesize
56KB

Download
memory/2496-13-0x000000001B560000-0x000000001B56A000-memory.dmp

Filesize
40KB

Download
memory/2496-15-0x000000001B5D0000-0x000000001B5DE000-memory.dmp

Filesize
56KB

Download
memory/2496-12-0x000000001C280000-0x000000001C7A8000-memory.dmp

Filesize
5.2MB

Download
memory/2496-0-0x00007FF9478F3000-0x00007FF9478F5000-memory.dmp

Filesize
8KB

Download
memory/2496-1-0x00000000002B0000-0x00000000007A4000-memory.dmp

Filesize
5.0MB

Download
memory/2496-10-0x000000001B540000-0x000000001B54A000-memory.dmp

Filesize
40KB

Download
memory/2496-9-0x000000001B530000-0x000000001B540000-memory.dmp

Filesize
64KB

Download
memory/2496-6-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

Filesize
32KB

Download
memory/2496-7-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/2496-5-0x000000001B580000-0x000000001B5D0000-memory.dmp

Filesize
320KB

Download
memory/2496-4-0x0000000000FB0000-0x0000000000FCC000-memory.dmp

Filesize
112KB

Download
memory/2496-2-0x000000001B720000-0x000000001B84E000-memory.dmp

Filesize
1.2MB

Download
memory/2496-3-0x00007FF9478F0000-0x00007FF9483B1000-memory.dmp

Filesize
10.8MB

Download
memory/3416-84-0x000001CDF9920000-0x000001CDF9942000-memory.dmp

Filesize
136KB

Download