colibri | 9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975

Analysis

max time kernel
120s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Size

4.9MB
MD5

f32026ab859baf87e56f628b87ec52a0
SHA1

926a579598eb4364b9cd10a036a294809fd3cb16
SHA256

9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975
SHA512

69995e9225f48252f83d3b047cc665beaefc7761e6179e83165aaf21ca941829929b1cd1cdef9a9424ceeb60bf8eb54130a1472cbc55b1a2ac65a31a32278b6c
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	224	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	224	schtasks.exe	82

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1276-3-0x000000001BA40000-0x000000001BB6E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4744	powershell.exe
8	powershell.exe
888	powershell.exe
3344	powershell.exe
236	powershell.exe
3044	powershell.exe
1212	powershell.exe
4072	powershell.exe
688	powershell.exe
5080	powershell.exe
3276	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 36 IoCs

pid	Process
3244	tmp95FA.tmp.exe
4156	tmp95FA.tmp.exe
4292	tmp95FA.tmp.exe
2056	services.exe
952	tmpC60F.tmp.exe
1644	tmpC60F.tmp.exe
4364	services.exe
2332	tmpF6C4.tmp.exe
1984	tmpF6C4.tmp.exe
1340	services.exe
1416	tmp26DC.tmp.exe
3276	tmp26DC.tmp.exe
4992	tmp26DC.tmp.exe
2276	services.exe
2764	tmp5733.tmp.exe
4012	tmp5733.tmp.exe
4892	tmp5733.tmp.exe
988	services.exe
4092	tmp87C9.tmp.exe
2332	tmp87C9.tmp.exe
2912	tmp87C9.tmp.exe
5080	services.exe
3756	tmpA4E6.tmp.exe
3564	tmpA4E6.tmp.exe
2180	services.exe
2148	tmpD6E3.tmp.exe
4976	tmpD6E3.tmp.exe
1260	services.exe
3328	tmp620.tmp.exe
2280	tmp620.tmp.exe
1908	services.exe
4632	tmp21B7.tmp.exe
4132	tmp21B7.tmp.exe
3660	services.exe
3792	tmp51CF.tmp.exe
1824	tmp51CF.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sysprep\en-US\RCX92CC.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\SysWOW64\sysprep\en-US\sihost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\SysWOW64\sysprep\en-US\sihost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\SysWOW64\sysprep\en-US\66fc9ff0ee96c2	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 4156 set thread context of 4292	4156	tmp95FA.tmp.exe	107
PID 2332 set thread context of 1984	2332	tmpF6C4.tmp.exe	150
PID 3276 set thread context of 4992	3276	tmp26DC.tmp.exe	159
PID 4012 set thread context of 4892	4012	tmp5733.tmp.exe	166
PID 2332 set thread context of 2912	2332	tmp87C9.tmp.exe	173
PID 3756 set thread context of 3564	3756	tmpA4E6.tmp.exe	179
PID 2148 set thread context of 4976	2148	tmpD6E3.tmp.exe	185
PID 3328 set thread context of 2280	3328	tmp620.tmp.exe	191
PID 4632 set thread context of 4132	4632	tmp21B7.tmp.exe	197
PID 3792 set thread context of 1824	3792	tmp51CF.tmp.exe	203

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\services.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files (x86)\Windows NT\c5b4cb5e9653cc	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\Java\SearchApp.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\Java\38384e6a620884	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\Windows NT\RCX90B8.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX954E.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\services.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\Windows NT\winlogon.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\Java\SearchApp.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\Windows NT\cc11b995f2a76d	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\Java\RCX97D0.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\Windows NT\winlogon.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Logs\waasmedic\fontdrvhost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD6E3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp21B7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp95FA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp26DC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp26DC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5733.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp95FA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF6C4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87C9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA4E6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC60F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5733.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp87C9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp620.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp51CF.tmp.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1268	schtasks.exe
876	schtasks.exe
4068	schtasks.exe
3972	schtasks.exe
5112	schtasks.exe
4540	schtasks.exe
784	schtasks.exe
3480	schtasks.exe
5012	schtasks.exe
4764	schtasks.exe
4480	schtasks.exe
4492	schtasks.exe
2256	schtasks.exe
4908	schtasks.exe
3584	schtasks.exe
2640	schtasks.exe
1628	schtasks.exe
2208	schtasks.exe
5092	schtasks.exe
244	schtasks.exe
4588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
688	powershell.exe
688	powershell.exe
3044	powershell.exe
3044	powershell.exe
3276	powershell.exe
3276	powershell.exe
4744	powershell.exe
4744	powershell.exe
236	powershell.exe
236	powershell.exe
1212	powershell.exe
1212	powershell.exe
8	powershell.exe
8	powershell.exe
888	powershell.exe
888	powershell.exe
3344	powershell.exe
3344	powershell.exe
4072	powershell.exe
4072	powershell.exe
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
3044	powershell.exe
3276	powershell.exe
1212	powershell.exe
4744	powershell.exe
888	powershell.exe
8	powershell.exe
236	powershell.exe
688	powershell.exe
688	powershell.exe
3344	powershell.exe
4072	powershell.exe
2056	services.exe
4364	services.exe
1340	services.exe
2276	services.exe
988	services.exe
5080	services.exe
2180	services.exe
1260	services.exe
1908	services.exe
3660	services.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	2056	services.exe
Token: SeDebugPrivilege	4364	services.exe
Token: SeDebugPrivilege	1340	services.exe
Token: SeDebugPrivilege	2276	services.exe
Token: SeDebugPrivilege	988	services.exe
Token: SeDebugPrivilege	5080	services.exe
Token: SeDebugPrivilege	2180	services.exe
Token: SeDebugPrivilege	1260	services.exe
Token: SeDebugPrivilege	1908	services.exe
Token: SeDebugPrivilege	3660	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 3244	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	104
PID 1276 wrote to memory of 3244	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	104
PID 1276 wrote to memory of 3244	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	104
PID 3244 wrote to memory of 4156	3244	tmp95FA.tmp.exe	106
PID 3244 wrote to memory of 4156	3244	tmp95FA.tmp.exe	106
PID 3244 wrote to memory of 4156	3244	tmp95FA.tmp.exe	106
PID 4156 wrote to memory of 4292	4156	tmp95FA.tmp.exe	107
PID 4156 wrote to memory of 4292	4156	tmp95FA.tmp.exe	107
PID 4156 wrote to memory of 4292	4156	tmp95FA.tmp.exe	107
PID 4156 wrote to memory of 4292	4156	tmp95FA.tmp.exe	107
PID 4156 wrote to memory of 4292	4156	tmp95FA.tmp.exe	107
PID 4156 wrote to memory of 4292	4156	tmp95FA.tmp.exe	107
PID 4156 wrote to memory of 4292	4156	tmp95FA.tmp.exe	107
PID 1276 wrote to memory of 5080	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	108
PID 1276 wrote to memory of 5080	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	108
PID 1276 wrote to memory of 3276	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	109
PID 1276 wrote to memory of 3276	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	109
PID 1276 wrote to memory of 688	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	110
PID 1276 wrote to memory of 688	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	110
PID 1276 wrote to memory of 4072	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	111
PID 1276 wrote to memory of 4072	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	111
PID 1276 wrote to memory of 8	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	113
PID 1276 wrote to memory of 8	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	113
PID 1276 wrote to memory of 4744	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	114
PID 1276 wrote to memory of 4744	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	114
PID 1276 wrote to memory of 1212	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	115
PID 1276 wrote to memory of 1212	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	115
PID 1276 wrote to memory of 3044	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	116
PID 1276 wrote to memory of 3044	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	116
PID 1276 wrote to memory of 3344	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	117
PID 1276 wrote to memory of 3344	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	117
PID 1276 wrote to memory of 888	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	118
PID 1276 wrote to memory of 888	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	118
PID 1276 wrote to memory of 236	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	119
PID 1276 wrote to memory of 236	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	119
PID 1276 wrote to memory of 1776	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	129
PID 1276 wrote to memory of 1776	1276	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	129
PID 1776 wrote to memory of 3252	1776	cmd.exe	132
PID 1776 wrote to memory of 3252	1776	cmd.exe	132
PID 1776 wrote to memory of 2056	1776	cmd.exe	136
PID 1776 wrote to memory of 2056	1776	cmd.exe	136
PID 2056 wrote to memory of 4476	2056	services.exe	138
PID 2056 wrote to memory of 4476	2056	services.exe	138
PID 2056 wrote to memory of 3284	2056	services.exe	139
PID 2056 wrote to memory of 3284	2056	services.exe	139
PID 2056 wrote to memory of 952	2056	services.exe	142
PID 2056 wrote to memory of 952	2056	services.exe	142
PID 2056 wrote to memory of 952	2056	services.exe	142
PID 4476 wrote to memory of 4364	4476	WScript.exe	145
PID 4476 wrote to memory of 4364	4476	WScript.exe	145
PID 4364 wrote to memory of 4076	4364	services.exe	146
PID 4364 wrote to memory of 4076	4364	services.exe	146
PID 4364 wrote to memory of 8	4364	services.exe	147
PID 4364 wrote to memory of 8	4364	services.exe	147
PID 4364 wrote to memory of 2332	4364	services.exe	148
PID 4364 wrote to memory of 2332	4364	services.exe	148
PID 4364 wrote to memory of 2332	4364	services.exe	148
PID 2332 wrote to memory of 1984	2332	tmpF6C4.tmp.exe	150
PID 2332 wrote to memory of 1984	2332	tmpF6C4.tmp.exe	150
PID 2332 wrote to memory of 1984	2332	tmpF6C4.tmp.exe	150
PID 2332 wrote to memory of 1984	2332	tmpF6C4.tmp.exe	150
PID 2332 wrote to memory of 1984	2332	tmpF6C4.tmp.exe	150
PID 2332 wrote to memory of 1984	2332	tmpF6C4.tmp.exe	150
PID 2332 wrote to memory of 1984	2332	tmpF6C4.tmp.exe	150

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
"C:\Users\Admin\AppData\Local\Temp\9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1276
- C:\Users\Admin\AppData\Local\Temp\tmp95FA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp95FA.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Users\Admin\AppData\Local\Temp\tmp95FA.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp95FA.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\tmp95FA.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp95FA.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aURWjxsM8E.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3252
- - C:\Program Files (x86)\Windows NT\services.exe
    "C:\Program Files (x86)\Windows NT\services.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2056
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb05199e-faa6-46e7-9eff-82d69577b2b2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Program Files (x86)\Windows NT\services.exe
        
        "C:\Program Files (x86)\Windows NT\services.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4364
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61ec9c33-2a53-47cd-bb59-e80fcf37eeff.vbs"
        6⤵
        
        PID:4076
        
        C:\Program Files (x86)\Windows NT\services.exe
        
        "C:\Program Files (x86)\Windows NT\services.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f20fcace-3e07-4e36-b305-22efcf9ac985.vbs"
        8⤵
        
        PID:3432
        
        C:\Program Files (x86)\Windows NT\services.exe
        
        "C:\Program Files (x86)\Windows NT\services.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4e9d005-a274-4c9d-9e8a-cde45e7f496e.vbs"
        10⤵
        
        PID:1420
        
        C:\Program Files (x86)\Windows NT\services.exe
        
        "C:\Program Files (x86)\Windows NT\services.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57530a5f-3446-48e0-b679-875fa3656616.vbs"
        12⤵
        
        PID:448
        
        C:\Program Files (x86)\Windows NT\services.exe
        
        "C:\Program Files (x86)\Windows NT\services.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ff8365c-34b3-4678-adf0-fbc4395daa4b.vbs"
        14⤵
        
        PID:2648
        
        C:\Program Files (x86)\Windows NT\services.exe
        
        "C:\Program Files (x86)\Windows NT\services.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3045733-52b9-4417-beca-969476a86403.vbs"
        16⤵
        
        PID:744
        
        C:\Program Files (x86)\Windows NT\services.exe
        
        "C:\Program Files (x86)\Windows NT\services.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\424d7474-d16c-49a3-aa7e-17ba3b8eed0f.vbs"
        18⤵
        
        PID:4184
        
        C:\Program Files (x86)\Windows NT\services.exe
        
        "C:\Program Files (x86)\Windows NT\services.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94cd68b0-1cea-48c0-9b96-bb6bdf54b56b.vbs"
        20⤵
        
        PID:2556
        
        C:\Program Files (x86)\Windows NT\services.exe
        
        "C:\Program Files (x86)\Windows NT\services.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4971e93d-cefc-4667-9f0e-7e3b28afa30e.vbs"
        22⤵
        
        PID:4420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d105857d-3742-4cb8-aa95-79960f530d63.vbs"
        22⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp51CF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp51CF.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp51CF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp51CF.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e79da7f2-933a-4a2f-bcad-f7b1c6f5c7b7.vbs"
        20⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp21B7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp21B7.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp21B7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp21B7.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:4132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b577760-af00-490c-954b-db364da780c1.vbs"
        18⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp620.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp620.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp620.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp620.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03330ce6-2575-4102-8fff-cc3e73aa7b8a.vbs"
        16⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmpD6E3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD6E3.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmpD6E3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD6E3.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a98d2df9-571c-456c-ab7e-6148667e9965.vbs"
        14⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmpA4E6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA4E6.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmpA4E6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA4E6.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\497c1736-5c83-48d1-bc9e-f75c380bd36d.vbs"
        12⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp87C9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87C9.tmp.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\tmp87C9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87C9.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\tmp87C9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp87C9.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9117143-3fb1-4a34-8f70-907e419eaca1.vbs"
        10⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp5733.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5733.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\tmp5733.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5733.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmp5733.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5733.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\825b3470-45a8-4f52-a372-7029fb0981e8.vbs"
        8⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp26DC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp26DC.tmp.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp26DC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp26DC.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp26DC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp26DC.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:4992
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8b267f7-37fe-42ca-850c-f760d79bf33f.vbs"
        6⤵
        
        PID:8
      - C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF6C4.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:1984
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fff37dd-2769-451e-a12c-f81c3a504ca6.vbs"
      4⤵
      PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:952
    - - C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC60F.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\sysprep\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sysprep\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\sysprep\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Java\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\services.exe

Filesize
4.9MB

MD5
44b38ba86c9e00bd67299fa68a705d7d

SHA1
2ef21ddfab170d9f3e40e68a9abc03313838f132

SHA256
401a7395dafb06f9fd2047d014fc1e488756a3c225b06e05927329bafed83b3c

SHA512
272aa870e36796109fae7cdf27477e66765fa1bdee3e4415ccb2cd2838152397c49e49d705b6c7c90d475924ca32a875eae4ebd0da40b13e00ddce2d2d6cf341

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
4.9MB

MD5
6d490006664021abb55f8657d0b0a379

SHA1
a6127ffcabdf386e32d270130dc1132ce0bb18f8

SHA256
3a899c32507138f8c8c82e476244b6505179e7d35e323d0b38a40b38d32d0fec

SHA512
0e50619ebf42a34cd23c803b34ba5e6e2331bea4df903966eae0bf7b1fb72b6116234fab5c3001cd24dfc768aaedfd8b0f313c9d1de54a191374eab527235d00

Download Submit
C:\Recovery\WindowsRE\dwm.exe

Filesize
4.9MB

MD5
f32026ab859baf87e56f628b87ec52a0

SHA1
926a579598eb4364b9cd10a036a294809fd3cb16

SHA256
9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975

SHA512
69995e9225f48252f83d3b047cc665beaefc7761e6179e83165aaf21ca941829929b1cd1cdef9a9424ceeb60bf8eb54130a1472cbc55b1a2ac65a31a32278b6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fff37dd-2769-451e-a12c-f81c3a504ca6.vbs

Filesize
498B

MD5
ac7dfd116890be9221a42ef17fe9206c

SHA1
c13086c7757231a269bfea43bfb181fafa1589db

SHA256
47038a0090aaf3ec7afbbebc5b38cb8116077e81870f5b200342fa97cbc046f5

SHA512
f5927ad5a91e68b5e092601cfa89d52410a0effa3097155f36751269b48b881ad2967be1c8b410373fd1050e53a5387589008580383e756c7f39ba79d19f54a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\57530a5f-3446-48e0-b679-875fa3656616.vbs

Filesize
721B

MD5
f06562a10a2fb2a06e1cf195405ff428

SHA1
6da1e26f7b5041388d25768a1a36a0bf21d0a1cf

SHA256
2e231a58b18b919dbe2334337d6f18e57767b61cad8aebe5dd436a7628d9e684

SHA512
e11742dce910101d70bb0ced185394ddc56b49b4313ad1ac0064ab4757d54a743a3ced684e21c3b58ca75b91bebab33cb4319838994d348f8c87eb86ab8146d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ff8365c-34b3-4678-adf0-fbc4395daa4b.vbs

Filesize
722B

MD5
5d8c068c23b761f40dd94be2bee67ccc

SHA1
db93dc6b558325b0788f3a591e0b414b8ab7f8f0

SHA256
32adc4eabeb5c19ceccebf1731264a2be7a4b30b71f17224dc85cce057c41177

SHA512
eed359d8d227a85b750084978e4deff7e2b40b04047e8c21b1b7e278d3ac388866c5f81289d548e71f2712c55d00c3d2f309268977485e32dd5dc50468ea825c

Download Submit
C:\Users\Admin\AppData\Local\Temp\61ec9c33-2a53-47cd-bb59-e80fcf37eeff.vbs

Filesize
722B

MD5
d8f9f055e20654943e44d079c7203290

SHA1
38c3ddb53f4dbd9f165a38b4c183f7725d8f8cb2

SHA256
9b41d10032bf60ba47221dea73e18954fd68d4500d3d4662e1869f11106383f1

SHA512
63178289e18bb66207aed29ac10706017e27df599f86fa4bd71ead02a8582edd4c69d88c6b04a4730e3c31aea57881287d869bdc0b6b50e8262d8cc6a0c388cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3gp51foh.be0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aURWjxsM8E.bat

Filesize
211B

MD5
28d3ed4ac609922915ded7b7e7797f8d

SHA1
d86089df56e802c99086f3161c3603b514a8fe0a

SHA256
18a6d631529e58b1a29af754ce12d2c555901bf44e999c79cf59e5a57759348c

SHA512
a883d58e5c5d317f81629221b8fbc04473a75fa1184612304e338822d87861d964fe70715f42ea6a7ed2445a1b6993085a5970116273ce28f84fbb3896f3148d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3045733-52b9-4417-beca-969476a86403.vbs

Filesize
722B

MD5
462f98e48657ed658e9752074d8df782

SHA1
3eca14479d1942d3c9e3c2e34c1d76e3c9baae5a

SHA256
e28c7ee87eda5df7b0ac872b8e10f3c5505b5805f301f2375b27ddbb0cbb22c3

SHA512
5371dc0abcde9f9e2396c59ad617fe8d634a10a3868f0001b7add20afae33f1ae5ac92d7262a04227cb1585fd253c857ae73c30a76abe08c8333959e779ad646

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4e9d005-a274-4c9d-9e8a-cde45e7f496e.vbs

Filesize
722B

MD5
43302e3470423e1559386f1b7aec6470

SHA1
f0be822c19b41392f4668c33f9d47a11f2384162

SHA256
19e381d76397da4b0d7794c11d29bdd66446695e36269cd900c913d12e001d39

SHA512
953b0ae29f31c6a7a4c83957aadc152c02ac60cbcd85bfafc42dcbaf9132e023019395e5558eb30cfd907f0aa2c3133cc0819ce6fdd54ca569e4327f850bb6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f20fcace-3e07-4e36-b305-22efcf9ac985.vbs

Filesize
722B

MD5
3e56f46a4ce44fdcdd7870d8bcb0967b

SHA1
71503dc69e0e97885114913d97d064f7fcb2a91a

SHA256
0327afaa1f446bbc7fe5746f148f20c5363b4ee5d54b686388a51f65e909ba54

SHA512
d883872c3d5952e349383633c8264325354923d325cd2d694757cf25374f6a3e34aa9bd232a27ddce4dc42ab0fa23e6e085372cdc937b7507af599c52cb62676

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb05199e-faa6-46e7-9eff-82d69577b2b2.vbs

Filesize
722B

MD5
f6d6fcf4c510501db27f5da4838e802b

SHA1
476442f4f16e6cdaf76beebf700df70ec0c0abdc

SHA256
c5135447409a7304a2b8f7a604fb29d893556c326bebfd8ec698bf8f9eb88588

SHA512
658d3e936233c279f2cd20b1ce2f7b531128753767753c615bd11058e10069e75a8f67a223cbd27e64e1065bc2e6d9598fa1b40051c10836ae5db7d393f4311f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95FA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/1260-391-0x000000001D7F0000-0x000000001D802000-memory.dmp

Filesize
72KB

Download
memory/1276-8-0x0000000002EE0000-0x0000000002EF6000-memory.dmp

Filesize
88KB

Download
memory/1276-2-0x00007FFED23B0000-0x00007FFED2E71000-memory.dmp

Filesize
10.8MB

Download
memory/1276-100-0x00007FFED23B0000-0x00007FFED2E71000-memory.dmp

Filesize
10.8MB

Download
memory/1276-9-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/1276-11-0x0000000002F20000-0x0000000002F32000-memory.dmp

Filesize
72KB

Download
memory/1276-6-0x0000000001450000-0x0000000001458000-memory.dmp

Filesize
32KB

Download
memory/1276-7-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

Filesize
64KB

Download
memory/1276-5-0x000000001C190000-0x000000001C1E0000-memory.dmp

Filesize
320KB

Download
memory/1276-4-0x0000000002EB0000-0x0000000002ECC000-memory.dmp

Filesize
112KB

Download
memory/1276-3-0x000000001BA40000-0x000000001BB6E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-0-0x0000000000760000-0x0000000000C54000-memory.dmp

Filesize
5.0MB

Download
memory/1276-12-0x000000001C710000-0x000000001CC38000-memory.dmp

Filesize
5.2MB

Download
memory/1276-13-0x0000000002F30000-0x0000000002F3A000-memory.dmp

Filesize
40KB

Download
memory/1276-15-0x000000001C1E0000-0x000000001C1EE000-memory.dmp

Filesize
56KB

Download
memory/1276-10-0x0000000002F10000-0x0000000002F1A000-memory.dmp

Filesize
40KB

Download
memory/1276-1-0x00007FFED23B3000-0x00007FFED23B5000-memory.dmp

Filesize
8KB

Download
memory/1276-17-0x000000001C200000-0x000000001C208000-memory.dmp

Filesize
32KB

Download
memory/1276-18-0x000000001C310000-0x000000001C31C000-memory.dmp

Filesize
48KB

Download
memory/1276-16-0x000000001C1F0000-0x000000001C1F8000-memory.dmp

Filesize
32KB

Download
memory/1276-14-0x000000001BB70000-0x000000001BB7E000-memory.dmp

Filesize
56KB

Download
memory/2056-228-0x00000000005D0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/3044-110-0x0000023EA5810000-0x0000023EA5832000-memory.dmp

Filesize
136KB

Download
memory/4292-67-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download