colibri | 1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042b

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Size

4.9MB
MD5

24d32f5bdea255704c0e4d3335268460
SHA1

db9240d03c8851ba034cf951a2d15be9076530af
SHA256

1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042b
SHA512

b52ad12cb44891460a30a040b3290e17c18592d1a8167f15c1df4a1ccec654270f0711d915b099359907079d3118c09294bf00b95fdc7f8d6a74778a969c98fc
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2844	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	2844	schtasks.exe	84

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4812-3-0x000000001BBE0000-0x000000001BD0E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1964	powershell.exe
3584	powershell.exe
2316	powershell.exe
4536	powershell.exe
2648	powershell.exe
3656	powershell.exe
4968	powershell.exe
4732	powershell.exe
3060	powershell.exe
4372	powershell.exe
1812	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe

Executes dropped EXE 40 IoCs

pid	Process
3692	tmpA1A1.tmp.exe
2840	tmpA1A1.tmp.exe
3100	tmpA1A1.tmp.exe
4592	winlogon.exe
2124	tmpEBD7.tmp.exe
852	tmpEBD7.tmp.exe
856	tmpEBD7.tmp.exe
1524	winlogon.exe
4960	tmp971.tmp.exe
4256	tmp971.tmp.exe
1968	winlogon.exe
3464	tmp2546.tmp.exe
1616	tmp2546.tmp.exe
5064	winlogon.exe
2996	tmp4244.tmp.exe
2628	tmp4244.tmp.exe
4356	winlogon.exe
2968	tmp7337.tmp.exe
1896	tmp7337.tmp.exe
4236	tmp7337.tmp.exe
2956	tmp7337.tmp.exe
760	winlogon.exe
3464	winlogon.exe
2980	tmpBF44.tmp.exe
4920	tmpBF44.tmp.exe
1368	winlogon.exe
4940	tmpDC03.tmp.exe
3432	tmpDC03.tmp.exe
2972	winlogon.exe
3504	tmpF894.tmp.exe
2840	tmpF894.tmp.exe
4792	tmpF894.tmp.exe
760	winlogon.exe
4736	tmp27C2.tmp.exe
3260	tmp27C2.tmp.exe
3148	winlogon.exe
316	tmp57DA.tmp.exe
4748	tmp57DA.tmp.exe
1588	tmp57DA.tmp.exe
4300	winlogon.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 3100	2840	tmpA1A1.tmp.exe	142
PID 852 set thread context of 856	852	tmpEBD7.tmp.exe	180
PID 4960 set thread context of 4256	4960	tmp971.tmp.exe	187
PID 3464 set thread context of 1616	3464	tmp2546.tmp.exe	194
PID 2996 set thread context of 2628	2996	tmp4244.tmp.exe	200
PID 4236 set thread context of 2956	4236	tmp7337.tmp.exe	208
PID 2980 set thread context of 4920	2980	tmpBF44.tmp.exe	217
PID 4940 set thread context of 3432	4940	tmpDC03.tmp.exe	223
PID 2840 set thread context of 4792	2840	tmpF894.tmp.exe	230
PID 4736 set thread context of 3260	4736	tmp27C2.tmp.exe	236
PID 4748 set thread context of 1588	4748	tmp57DA.tmp.exe	243

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\host\fxr\8.0.2\f3b6ecef712a24	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files (x86)\Common Files\Java\ea1d8f6d871115	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\RCXBD83.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\spoolsv.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\csrss.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files\Common Files\System\es-ES\RuntimeBroker.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\RCXA2CB.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\RCXB09C.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files (x86)\Internet Explorer\images\RuntimeBroker.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files (x86)\Internet Explorer\images\9e8d7a4ca61bd9	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\spoolsv.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Schema\csrss.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files (x86)\WindowsPowerShell\5b884080fd4f94	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\RuntimeBroker.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\upfc.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files\Common Files\System\es-ES\9e8d7a4ca61bd9	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\RCXB2B0.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCXB8ED.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\winlogon.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\886983d96e3d3e	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\fontdrvhost.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\5b884080fd4f94	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files (x86)\Common Files\Java\upfc.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SppExtComObj.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\RCXC5C4.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\8.0.2\RCXA4EF.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\fontdrvhost.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\RCXB6D9.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\RuntimeBroker.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SppExtComObj.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\e1ef82546f0b02	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\RCXC1AB.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\upfc.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Windows\Speech\Common\de-DE\fontdrvhost.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Windows\Offline Web Pages\e6c9b481da804f	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\RCX9FCB.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXBF97.tmp	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Windows\Offline Web Pages\OfficeClickToRun.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\OfficeClickToRun.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\upfc.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Windows\Branding\Basebrd\fr-FR\ea1d8f6d871115	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Windows\Offline Web Pages\OfficeClickToRun.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\OfficeClickToRun.exe	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
File created	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\e6c9b481da804f	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4244.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7337.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA1A1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEBD7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2546.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp57DA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7337.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBF44.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF894.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF894.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp27C2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEBD7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp971.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7337.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA1A1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDC03.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp57DA.tmp.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1928	schtasks.exe
2996	schtasks.exe
3000	schtasks.exe
2216	schtasks.exe
3316	schtasks.exe
4092	schtasks.exe
4968	schtasks.exe
4948	schtasks.exe
5100	schtasks.exe
60	schtasks.exe
3564	schtasks.exe
1188	schtasks.exe
1760	schtasks.exe
2912	schtasks.exe
4172	schtasks.exe
2460	schtasks.exe
3568	schtasks.exe
4684	schtasks.exe
2248	schtasks.exe
4388	schtasks.exe
3452	schtasks.exe
1068	schtasks.exe
4744	schtasks.exe
2152	schtasks.exe
3712	schtasks.exe
3472	schtasks.exe
452	schtasks.exe
1392	schtasks.exe
3228	schtasks.exe
4272	schtasks.exe
1396	schtasks.exe
4584	schtasks.exe
4080	schtasks.exe
1964	schtasks.exe
2096	schtasks.exe
2512	schtasks.exe
5084	schtasks.exe
384	schtasks.exe
3308	schtasks.exe
4204	schtasks.exe
2660	schtasks.exe
4860	schtasks.exe
3524	schtasks.exe
4224	schtasks.exe
5064	schtasks.exe
4536	schtasks.exe
2648	schtasks.exe
592	schtasks.exe
4724	schtasks.exe
2200	schtasks.exe
1208	schtasks.exe
4444	schtasks.exe
2380	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
4732	powershell.exe
4732	powershell.exe
1964	powershell.exe
1964	powershell.exe
3060	powershell.exe
3060	powershell.exe
2316	powershell.exe
2316	powershell.exe
4536	powershell.exe
4536	powershell.exe
4372	powershell.exe
4372	powershell.exe
1812	powershell.exe
1812	powershell.exe
3656	powershell.exe
3656	powershell.exe
4968	powershell.exe
4968	powershell.exe
2648	powershell.exe
2648	powershell.exe
3584	powershell.exe
3584	powershell.exe
3656	powershell.exe
4732	powershell.exe
1964	powershell.exe
3060	powershell.exe
4536	powershell.exe
4372	powershell.exe
2316	powershell.exe
1812	powershell.exe
2648	powershell.exe
4968	powershell.exe
3584	powershell.exe
4592	winlogon.exe
1524	winlogon.exe
1968	winlogon.exe
5064	winlogon.exe
4356	winlogon.exe
760	winlogon.exe
3464	winlogon.exe
1368	winlogon.exe
2972	winlogon.exe
760	winlogon.exe
3148	winlogon.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	4592	winlogon.exe
Token: SeDebugPrivilege	1524	winlogon.exe
Token: SeDebugPrivilege	1968	winlogon.exe
Token: SeDebugPrivilege	5064	winlogon.exe
Token: SeDebugPrivilege	4356	winlogon.exe
Token: SeDebugPrivilege	760	winlogon.exe
Token: SeDebugPrivilege	3464	winlogon.exe
Token: SeDebugPrivilege	1368	winlogon.exe
Token: SeDebugPrivilege	2972	winlogon.exe
Token: SeDebugPrivilege	760	winlogon.exe
Token: SeDebugPrivilege	3148	winlogon.exe
Token: SeDebugPrivilege	4300	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 3692	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	139
PID 4812 wrote to memory of 3692	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	139
PID 4812 wrote to memory of 3692	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	139
PID 3692 wrote to memory of 2840	3692	tmpA1A1.tmp.exe	141
PID 3692 wrote to memory of 2840	3692	tmpA1A1.tmp.exe	141
PID 3692 wrote to memory of 2840	3692	tmpA1A1.tmp.exe	141
PID 2840 wrote to memory of 3100	2840	tmpA1A1.tmp.exe	142
PID 2840 wrote to memory of 3100	2840	tmpA1A1.tmp.exe	142
PID 2840 wrote to memory of 3100	2840	tmpA1A1.tmp.exe	142
PID 2840 wrote to memory of 3100	2840	tmpA1A1.tmp.exe	142
PID 2840 wrote to memory of 3100	2840	tmpA1A1.tmp.exe	142
PID 2840 wrote to memory of 3100	2840	tmpA1A1.tmp.exe	142
PID 2840 wrote to memory of 3100	2840	tmpA1A1.tmp.exe	142
PID 4812 wrote to memory of 4372	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	147
PID 4812 wrote to memory of 4372	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	147
PID 4812 wrote to memory of 3060	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	148
PID 4812 wrote to memory of 3060	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	148
PID 4812 wrote to memory of 1964	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	149
PID 4812 wrote to memory of 1964	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	149
PID 4812 wrote to memory of 4732	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	150
PID 4812 wrote to memory of 4732	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	150
PID 4812 wrote to memory of 4968	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	151
PID 4812 wrote to memory of 4968	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	151
PID 4812 wrote to memory of 3656	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	152
PID 4812 wrote to memory of 3656	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	152
PID 4812 wrote to memory of 2648	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	153
PID 4812 wrote to memory of 2648	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	153
PID 4812 wrote to memory of 2316	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	154
PID 4812 wrote to memory of 2316	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	154
PID 4812 wrote to memory of 3584	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	155
PID 4812 wrote to memory of 3584	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	155
PID 4812 wrote to memory of 4536	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	156
PID 4812 wrote to memory of 4536	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	156
PID 4812 wrote to memory of 1812	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	157
PID 4812 wrote to memory of 1812	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	157
PID 4812 wrote to memory of 4748	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	169
PID 4812 wrote to memory of 4748	4812	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe	169
PID 4748 wrote to memory of 5064	4748	cmd.exe	171
PID 4748 wrote to memory of 5064	4748	cmd.exe	171
PID 4748 wrote to memory of 4592	4748	cmd.exe	174
PID 4748 wrote to memory of 4592	4748	cmd.exe	174
PID 4592 wrote to memory of 1136	4592	winlogon.exe	175
PID 4592 wrote to memory of 1136	4592	winlogon.exe	175
PID 4592 wrote to memory of 2020	4592	winlogon.exe	176
PID 4592 wrote to memory of 2020	4592	winlogon.exe	176
PID 4592 wrote to memory of 2124	4592	winlogon.exe	177
PID 4592 wrote to memory of 2124	4592	winlogon.exe	177
PID 4592 wrote to memory of 2124	4592	winlogon.exe	177
PID 2124 wrote to memory of 852	2124	tmpEBD7.tmp.exe	179
PID 2124 wrote to memory of 852	2124	tmpEBD7.tmp.exe	179
PID 2124 wrote to memory of 852	2124	tmpEBD7.tmp.exe	179
PID 852 wrote to memory of 856	852	tmpEBD7.tmp.exe	180
PID 852 wrote to memory of 856	852	tmpEBD7.tmp.exe	180
PID 852 wrote to memory of 856	852	tmpEBD7.tmp.exe	180
PID 852 wrote to memory of 856	852	tmpEBD7.tmp.exe	180
PID 852 wrote to memory of 856	852	tmpEBD7.tmp.exe	180
PID 852 wrote to memory of 856	852	tmpEBD7.tmp.exe	180
PID 852 wrote to memory of 856	852	tmpEBD7.tmp.exe	180
PID 1136 wrote to memory of 1524	1136	WScript.exe	181
PID 1136 wrote to memory of 1524	1136	WScript.exe	181
PID 1524 wrote to memory of 4948	1524	winlogon.exe	182
PID 1524 wrote to memory of 4948	1524	winlogon.exe	182
PID 1524 wrote to memory of 3208	1524	winlogon.exe	183
PID 1524 wrote to memory of 3208	1524	winlogon.exe	183

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe
"C:\Users\Admin\AppData\Local\Temp\1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042bN.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4812
- C:\Users\Admin\AppData\Local\Temp\tmpA1A1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA1A1.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\tmpA1A1.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpA1A1.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\tmpA1A1.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA1A1.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:3100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\opbToUDi9C.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5064
- - C:\Recovery\WindowsRE\winlogon.exe
    "C:\Recovery\WindowsRE\winlogon.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4592
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6564c39-5159-43b8-a0b3-1eda53b969b0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1524
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de14e7ad-bfa1-4f14-8379-e6063e18d231.vbs"
        6⤵
        
        PID:4948
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a89674e8-2856-4af6-878b-896c13ddb437.vbs"
        8⤵
        
        PID:4884
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b358c2ae-e112-4ed4-bfdf-a551d3e72c89.vbs"
        10⤵
        
        PID:4112
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b005aad-9486-48f1-b69b-904bedb4a196.vbs"
        12⤵
        
        PID:2324
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0781c99-7657-4619-ad7e-0844cb988a6b.vbs"
        14⤵
        
        PID:3340
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\652d7dc1-ecc1-44b8-a291-4c5c73a5870f.vbs"
        16⤵
        
        PID:4092
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\852bdd11-3f25-4703-b28e-e0201c7d492b.vbs"
        18⤵
        
        PID:4452
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b74711b1-c9fe-4e73-a6b1-1ea3a3acfd3d.vbs"
        20⤵
        
        PID:3720
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5d17f76-995d-4f16-b805-a48ba9e7425f.vbs"
        22⤵
        
        PID:2200
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bed65d64-685b-4b36-a1db-1e3c0556ca0b.vbs"
        24⤵
        
        PID:5004
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        C:\Recovery\WindowsRE\winlogon.exe
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e4174a4-7fbd-476b-a50e-d40de39e9655.vbs"
        24⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp57DA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp57DA.tmp.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp57DA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp57DA.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp57DA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp57DA.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a02e32f-cdad-4ff5-aa73-234fc4ff031b.vbs"
        22⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmp27C2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp27C2.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp27C2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp27C2.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27278979-0a80-4dfe-b67c-62e79fa84b98.vbs"
        20⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\tmpF894.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF894.tmp.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmpF894.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF894.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\tmpF894.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF894.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afd13078-f457-4e8f-bc39-3d1d31fb9841.vbs"
        18⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\tmpDC03.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDC03.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmpDC03.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDC03.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab5a5b49-ba0a-4d25-833b-10e2bc8e26d8.vbs"
        16⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmpBF44.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBF44.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmpBF44.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBF44.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c6e3fd7-867c-4aaf-86df-39a9b0702f5c.vbs"
        14⤵
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62882a26-80f4-4ee5-9150-91696fae267b.vbs"
        12⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7337.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7337.tmp.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7337.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7337.tmp.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7337.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7337.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmp7337.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7337.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cc65c35-175b-4f17-85c8-53085bcc06d3.vbs"
        10⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp4244.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4244.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\tmp4244.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4244.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efb22bcd-fc75-4b51-8cf1-8da1706e1de3.vbs"
        8⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmp2546.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2546.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp2546.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2546.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:1616
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a48007a-73fb-498e-bcdd-655f9d5f57aa.vbs"
        6⤵
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\tmp971.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp971.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp971.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp971.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4256
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\350f1a9e-bd66-4a39-9926-cd5e3454d3fa.vbs"
      4⤵
      PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\tmpEBD7.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpEBD7.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\tmpEBD7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEBD7.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Users\Admin\AppData\Local\Temp\tmpEBD7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEBD7.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\Basebrd\fr-FR\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\fr-FR\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\fr-FR\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\images\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\host\fxr\8.0.2\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\Licenses16\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Licenses16\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\Licenses16\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Java\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Java\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\es-ES\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\es-ES\RuntimeBroker.exe

Filesize
4.9MB

MD5
bacddcd0df7e8ac408ceba2737a4b033

SHA1
4e120ab025e7aa7f4e0c8567b4624a732269cb14

SHA256
51eda13ca3ca44d0818f5baa2d824014ef3c053ee32bab010817295e2ee9e15f

SHA512
eb8ab417c7981235096b2077502e2f7890422864b732230a3e8d7ce77d5201c9f3dc4190adfd101bb36751e11fecdbd35429e98f6a0828cf306f021f0c6e47f2

Download Submit
C:\Program Files\WindowsPowerShell\Configuration\Schema\RCXB09C.tmp

Filesize
4.9MB

MD5
c395196b24495db01ab22acdfe9a804d

SHA1
45c00e6ddbe6be65ef737401c893fb93e7d5a976

SHA256
8c7b47ed03d501f11edbeb660ace7b0511809c9d88ea9973be5e8f3eafa7f73e

SHA512
1ddb6c77da11a5e200ac87912d53dd9874ec2aefd2d00560d1d12fce21ada93077868d7c04d3efaf06efc0e7288647a0e4cf6567a35d2fbff7d02570d360e25b

Download Submit
C:\Recovery\WindowsRE\sihost.exe

Filesize
4.9MB

MD5
24d32f5bdea255704c0e4d3335268460

SHA1
db9240d03c8851ba034cf951a2d15be9076530af

SHA256
1c576ac232fa52e44ddc12fcefa1a5803750c5efd1d9e82176b7a0f54d40042b

SHA512
b52ad12cb44891460a30a040b3290e17c18592d1a8167f15c1df4a1ccec654270f0711d915b099359907079d3118c09294bf00b95fdc7f8d6a74778a969c98fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\350f1a9e-bd66-4a39-9926-cd5e3454d3fa.vbs

Filesize
486B

MD5
7f17f8d74a53b3b2307e87e98386cbf1

SHA1
95784e50ad58c2a5f9bc6b4cb09848d40ef30313

SHA256
358acdea4f631920b73ca0f5a408da4ad5f927633a00c25aecebcdb982507076

SHA512
6c53325d5228698056b47ecf7e448d8650028a631cc1bb03ff530ddcc3c24b525225d592ef838b5908287f704ca2ec3850fff301203e7108d5a806de684d6322

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b005aad-9486-48f1-b69b-904bedb4a196.vbs

Filesize
710B

MD5
e839ac94985c28a2e98e5aede0e3f2de

SHA1
597d63f03dc06b1f5dcd7bec4c4bafe8f268f90a

SHA256
be958e279b96463479391a4b4ee0873fd16216e07b38bf6bee9f63995c96dc2c

SHA512
ea724636e70795e6b19c7e0cda297173171d4722724a4d8a5f8f95f145b46b477dd7fdea299126b2df3142688dfcc07ae7afbd4960d6ae85de1a4ed142574b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\652d7dc1-ecc1-44b8-a291-4c5c73a5870f.vbs

Filesize
710B

MD5
4ff52411c3c15eec275b0145992a6813

SHA1
5723007045fa2c3bb331fef9460877504a4e7730

SHA256
a5514c83b6c306ac34f0ec5aed22b7c0aab08f33325295a394b3cbbabe9087df

SHA512
22a84787de91addce1485a4b9d5729151cbeb5c05b3dd3b350014e2fbe0075d80462afa9d4f7c435a3d38f20621c64185d32ce34ae0d78e21abb5758312fac39

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itbpuh2h.ewe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a89674e8-2856-4af6-878b-896c13ddb437.vbs

Filesize
710B

MD5
a30f3ba1e64fc92b1d3034e77aa73a89

SHA1
4739ae1ca76a2532ad98f3aaaf3374e4061957c0

SHA256
622db54324b72760f35cfde6c822dcfc3cbad681d644845d8c4db276f1c713dd

SHA512
6a5222771a8cc609bb4218023103210f2610f2bde920091904e6b78684ef208fa3cbaf73ce72f536a0ad81cb99e4733478fe935ace268b38ebdf7716cd0022a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b358c2ae-e112-4ed4-bfdf-a551d3e72c89.vbs

Filesize
710B

MD5
d109c1370ca231eb7200843106e0c920

SHA1
7ae939cd86a3e09590fd2ce4aa0a973b816dae29

SHA256
9218e9d9bfb167ae91399a74490a4fc0fc22c77a67dc1439dd18390504457d8f

SHA512
12c90be766c4c029a0339b484cedecf14223d7878f15eb8337f066fef952a3615461f54db50da2bc5048192c69210b66f3d5e15faf8c91d094fcf4b6f1b5c50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0781c99-7657-4619-ad7e-0844cb988a6b.vbs

Filesize
709B

MD5
a23861dfbd65b51af8224c94e4bfd93d

SHA1
823f369327284a59ad87605099669781e2535815

SHA256
712efa5e0577805b8a2db1c2abd177a63c9d4419663d32c767a733677da784e4

SHA512
9e8f80da3f8d8fab4bd5c9ba8f4ec0df94822f94f6207228bb9928a0857d34e732238b2fe1b484c82ce15fc422bf848d2859987696fc6ab30cd4929bfd17f347

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6564c39-5159-43b8-a0b3-1eda53b969b0.vbs

Filesize
710B

MD5
6091bbbbc59fc7482e37ea53376218d7

SHA1
ce26e41fd08de35cad729e6f820b4b5f8e794356

SHA256
58eaca114de6798aee7f434446d783fc7f151e2464bf85b57bbb9b2098623667

SHA512
293b96e6e0dd59e19a901d7299f48d82ead98964b324b03fd9bb1e695dfe403d3c893dacfac92970c5bde746736d23a0fd1ec3ce231bf52d460fd9e65093c9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\de14e7ad-bfa1-4f14-8379-e6063e18d231.vbs

Filesize
710B

MD5
3e0654d595a76daf7abd90c978be2b0e

SHA1
73a4b473cc0ad5fe6669c0e67af4724141570dfe

SHA256
13b859ce5b1499305eaef5d3722bca89dbbe350f054d77d253101470e6956497

SHA512
d5b52ba05825a827bcbe4607fd7b5131e89a05e66f8a1c9c7d69b6fb4f853eb19a2015abfaa2cb831f5a2d62212be0f890f3294629457a1cbbf3831df703f2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\opbToUDi9C.bat

Filesize
199B

MD5
e7c41eb5512bd5f87cd9acf582ef849f

SHA1
dd8692d43d9af0ba072552bcfe20f6d2acbc7760

SHA256
a8ba4c633f2b96748582245e2bf01e806d3fd2cf718efef325f7c3ad922052a0

SHA512
9a50f1b2acb0f4dd06eb11f689ce3762dc47aa28521f11190adb143a043d9877ccfbcde8b485b8d9871c925ee6cd6b5f46a092b58674a3318674a0e9bec7767d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA1A1.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/760-453-0x000000001C020000-0x000000001C032000-memory.dmp

Filesize
72KB

Download
memory/1964-215-0x0000021859FF0000-0x000002185A012000-memory.dmp

Filesize
136KB

Download
memory/3100-83-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3148-536-0x000000001C790000-0x000000001C7A2000-memory.dmp

Filesize
72KB

Download
memory/3464-465-0x0000000003460000-0x0000000003472000-memory.dmp

Filesize
72KB

Download
memory/4812-18-0x000000001C510000-0x000000001C51C000-memory.dmp

Filesize
48KB

Download
memory/4812-17-0x000000001C400000-0x000000001C408000-memory.dmp

Filesize
32KB

Download
memory/4812-200-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

Filesize
10.8MB

Download
memory/4812-159-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

Filesize
10.8MB

Download
memory/4812-152-0x00007FFC10373000-0x00007FFC10375000-memory.dmp

Filesize
8KB

Download
memory/4812-7-0x000000001C310000-0x000000001C320000-memory.dmp

Filesize
64KB

Download
memory/4812-4-0x00000000030B0000-0x00000000030CC000-memory.dmp

Filesize
112KB

Download
memory/4812-3-0x000000001BBE0000-0x000000001BD0E000-memory.dmp

Filesize
1.2MB

Download
memory/4812-2-0x00007FFC10370000-0x00007FFC10E31000-memory.dmp

Filesize
10.8MB

Download
memory/4812-0-0x00007FFC10373000-0x00007FFC10375000-memory.dmp

Filesize
8KB

Download
memory/4812-6-0x00000000030D0000-0x00000000030D8000-memory.dmp

Filesize
32KB

Download
memory/4812-5-0x000000001C360000-0x000000001C3B0000-memory.dmp

Filesize
320KB

Download
memory/4812-1-0x0000000000970000-0x0000000000E64000-memory.dmp

Filesize
5.0MB

Download
memory/4812-9-0x000000001C340000-0x000000001C350000-memory.dmp

Filesize
64KB

Download
memory/4812-16-0x000000001C3F0000-0x000000001C3F8000-memory.dmp

Filesize
32KB

Download
memory/4812-13-0x000000001C3C0000-0x000000001C3CA000-memory.dmp

Filesize
40KB

Download
memory/4812-14-0x000000001C3D0000-0x000000001C3DE000-memory.dmp

Filesize
56KB

Download
memory/4812-15-0x000000001C3E0000-0x000000001C3EE000-memory.dmp

Filesize
56KB

Download
memory/4812-12-0x000000001C8F0000-0x000000001CE18000-memory.dmp

Filesize
5.2MB

Download
memory/4812-11-0x000000001C3B0000-0x000000001C3C2000-memory.dmp

Filesize
72KB

Download
memory/4812-10-0x000000001C350000-0x000000001C35A000-memory.dmp

Filesize
40KB

Download
memory/4812-8-0x000000001C320000-0x000000001C336000-memory.dmp

Filesize
88KB

Download