colibri | 5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2

Analysis

max time kernel
118s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Size

4.9MB
MD5

fbad13694fbd76b4a28785c6fa12af90
SHA1

35aca1ddefc9672625d9e94fd886810f30eea843
SHA256

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2
SHA512

0e4ec2070b6fde55ea405611c7d8bc73520670608a6dc0e2f605c9a70c96bfa44135f988c7c1c29d20f0a1edd0390e056d9e6d6401d4a8aefee0fa96e1cb447b
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3392	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3392	schtasks.exe	82

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4876-3-0x000000001C1B0000-0x000000001C2DE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1484	powershell.exe
3608	powershell.exe
468	powershell.exe
700	powershell.exe
1980	powershell.exe
2784	powershell.exe
4792	powershell.exe
4500	powershell.exe
4784	powershell.exe
3796	powershell.exe
3784	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 35 IoCs

Processes:

tmpECF2.tmp.exetmpECF2.tmp.exefontdrvhost.exetmp35FF.tmp.exetmp35FF.tmp.exefontdrvhost.exetmp677F.tmp.exetmp677F.tmp.exefontdrvhost.exetmp8325.tmp.exetmp8325.tmp.exefontdrvhost.exetmpB35D.tmp.exetmpB35D.tmp.exetmpB35D.tmp.exefontdrvhost.exetmpE412.tmp.exetmpE412.tmp.exefontdrvhost.exetmp100.tmp.exetmp100.tmp.exefontdrvhost.exetmp32CE.tmp.exetmp32CE.tmp.exefontdrvhost.exetmp4FCC.tmp.exetmp4FCC.tmp.exetmp4FCC.tmp.exefontdrvhost.exetmp81D8.tmp.exetmp81D8.tmp.exefontdrvhost.exetmp9E1B.tmp.exetmp9E1B.tmp.exetmp9E1B.tmp.exe

pid	Process
4116	tmpECF2.tmp.exe
2868	tmpECF2.tmp.exe
1296	fontdrvhost.exe
4836	tmp35FF.tmp.exe
3268	tmp35FF.tmp.exe
4268	fontdrvhost.exe
1720	tmp677F.tmp.exe
3036	tmp677F.tmp.exe
2788	fontdrvhost.exe
2180	tmp8325.tmp.exe
3820	tmp8325.tmp.exe
4392	fontdrvhost.exe
2952	tmpB35D.tmp.exe
2980	tmpB35D.tmp.exe
4060	tmpB35D.tmp.exe
4584	fontdrvhost.exe
4448	tmpE412.tmp.exe
3680	tmpE412.tmp.exe
2092	fontdrvhost.exe
512	tmp100.tmp.exe
4304	tmp100.tmp.exe
4576	fontdrvhost.exe
2376	tmp32CE.tmp.exe
2700	tmp32CE.tmp.exe
4176	fontdrvhost.exe
1240	tmp4FCC.tmp.exe
5076	tmp4FCC.tmp.exe
1584	tmp4FCC.tmp.exe
3784	fontdrvhost.exe
4776	tmp81D8.tmp.exe
4792	tmp81D8.tmp.exe
4348	fontdrvhost.exe
3176	tmp9E1B.tmp.exe
1124	tmp9E1B.tmp.exe
2332	tmp9E1B.tmp.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

tmpECF2.tmp.exetmp35FF.tmp.exetmp677F.tmp.exetmp8325.tmp.exetmpB35D.tmp.exetmpE412.tmp.exetmp100.tmp.exetmp32CE.tmp.exetmp4FCC.tmp.exetmp81D8.tmp.exetmp9E1B.tmp.exe

description	pid	Process	procid_target
PID 4116 set thread context of 2868	4116	tmpECF2.tmp.exe	136
PID 4836 set thread context of 3268	4836	tmp35FF.tmp.exe	171
PID 1720 set thread context of 3036	1720	tmp677F.tmp.exe	181
PID 2180 set thread context of 3820	2180	tmp8325.tmp.exe	187
PID 2980 set thread context of 4060	2980	tmpB35D.tmp.exe	194
PID 4448 set thread context of 3680	4448	tmpE412.tmp.exe	200
PID 512 set thread context of 4304	512	tmp100.tmp.exe	206
PID 2376 set thread context of 2700	2376	tmp32CE.tmp.exe	212
PID 5076 set thread context of 1584	5076	tmp4FCC.tmp.exe	219
PID 4776 set thread context of 4792	4776	tmp81D8.tmp.exe	225
PID 1124 set thread context of 2332	1124	tmp9E1B.tmp.exe	232

Drops file in Program Files directory 24 IoCs

Processes:

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Services\886983d96e3d3e	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fontdrvhost.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXB85.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\smss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fontdrvhost.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\smss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\csrss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\Windows Photo Viewer\fontdrvhost.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXEB99.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXF60F.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\RCXD99.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\7-Zip\Lang\fontdrvhost.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\7-Zip\Lang\5b884080fd4f94	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\Windows Photo Viewer\5b884080fd4f94	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files\7-Zip\Lang\e6c9b481da804f	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Common Files\Services\csrss.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\69ddcba757bf72	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXFB12.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCX259.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

Drops file in Windows directory 17 IoCs

Processes:

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

description	ioc	Process
File created	C:\Windows\ShellComponents\upfc.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\ShellComponents\ee2ad38f3d4382	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Downloaded Program Files\38384e6a620884	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Speech\Common\es-ES\sihost.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\5940a34987c991	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\ShellComponents\upfc.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\ShellComponents\ea1d8f6d871115	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\ShellComponents\Registry.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\ShellComponents\Registry.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\ShellComponents\RCXEDAF.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\ShellComponents\RCXEFC3.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXF891.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\Downloaded Program Files\SearchApp.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\Downloaded Program Files\SearchApp.exe	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCXFAD.tmp	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp9E1B.tmp.exetmp35FF.tmp.exetmp81D8.tmp.exetmpB35D.tmp.exetmp100.tmp.exetmp32CE.tmp.exetmpECF2.tmp.exetmpB35D.tmp.exetmpE412.tmp.exetmp4FCC.tmp.exetmp4FCC.tmp.exetmp9E1B.tmp.exetmp677F.tmp.exetmp8325.tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E1B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp35FF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp81D8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB35D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp100.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp32CE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpECF2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB35D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE412.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4FCC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4FCC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9E1B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp677F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8325.tmp.exe

Modifies registry class 11 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2180	schtasks.exe
3544	schtasks.exe
2724	schtasks.exe
964	schtasks.exe
4520	schtasks.exe
468	schtasks.exe
3452	schtasks.exe
4616	schtasks.exe
1908	schtasks.exe
1888	schtasks.exe
2952	schtasks.exe
3292	schtasks.exe
4584	schtasks.exe
3276	schtasks.exe
2692	schtasks.exe
976	schtasks.exe
3468	schtasks.exe
1692	schtasks.exe
3948	schtasks.exe
2944	schtasks.exe
1156	schtasks.exe
456	schtasks.exe
2044	schtasks.exe
2164	schtasks.exe
3440	schtasks.exe
3528	schtasks.exe
744	schtasks.exe
1720	schtasks.exe
4268	schtasks.exe
4528	schtasks.exe
5092	schtasks.exe
3732	schtasks.exe
4136	schtasks.exe
2252	schtasks.exe
4804	schtasks.exe
4824	schtasks.exe
3820	schtasks.exe
4184	schtasks.exe
2716	schtasks.exe
1652	schtasks.exe
2624	schtasks.exe
4464	schtasks.exe
64	schtasks.exe
3596	schtasks.exe
4700	schtasks.exe
2284	schtasks.exe
4680	schtasks.exe
2520	schtasks.exe
1176	schtasks.exe
1608	schtasks.exe
4104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid	Process
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
3796	powershell.exe
3796	powershell.exe
4792	powershell.exe
4792	powershell.exe
1484	powershell.exe
1484	powershell.exe
1980	powershell.exe
1980	powershell.exe
468	powershell.exe
468	powershell.exe
2784	powershell.exe
2784	powershell.exe
3784	powershell.exe
3784	powershell.exe
4784	powershell.exe
4784	powershell.exe
3608	powershell.exe
3608	powershell.exe
4500	powershell.exe
4500	powershell.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
4792	powershell.exe
3796	powershell.exe
1980	powershell.exe
1484	powershell.exe
4784	powershell.exe
468	powershell.exe
3784	powershell.exe
2784	powershell.exe
3608	powershell.exe
4500	powershell.exe
1296	fontdrvhost.exe
4268	fontdrvhost.exe
2788	fontdrvhost.exe
4392	fontdrvhost.exe
4584	fontdrvhost.exe
2092	fontdrvhost.exe
4576	fontdrvhost.exe
4176	fontdrvhost.exe
3784	fontdrvhost.exe
4348	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	1296	fontdrvhost.exe
Token: SeDebugPrivilege	4268	fontdrvhost.exe
Token: SeDebugPrivilege	2788	fontdrvhost.exe
Token: SeDebugPrivilege	4392	fontdrvhost.exe
Token: SeDebugPrivilege	4584	fontdrvhost.exe
Token: SeDebugPrivilege	2092	fontdrvhost.exe
Token: SeDebugPrivilege	4576	fontdrvhost.exe
Token: SeDebugPrivilege	4176	fontdrvhost.exe
Token: SeDebugPrivilege	3784	fontdrvhost.exe
Token: SeDebugPrivilege	4348	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exetmpECF2.tmp.execmd.exefontdrvhost.exetmp35FF.tmp.exeWScript.exefontdrvhost.exetmp677F.tmp.exe

description	pid	Process	procid_target
PID 4876 wrote to memory of 4116	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	134
PID 4876 wrote to memory of 4116	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	134
PID 4876 wrote to memory of 4116	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	134
PID 4116 wrote to memory of 2868	4116	tmpECF2.tmp.exe	136
PID 4116 wrote to memory of 2868	4116	tmpECF2.tmp.exe	136
PID 4116 wrote to memory of 2868	4116	tmpECF2.tmp.exe	136
PID 4116 wrote to memory of 2868	4116	tmpECF2.tmp.exe	136
PID 4116 wrote to memory of 2868	4116	tmpECF2.tmp.exe	136
PID 4116 wrote to memory of 2868	4116	tmpECF2.tmp.exe	136
PID 4116 wrote to memory of 2868	4116	tmpECF2.tmp.exe	136
PID 4876 wrote to memory of 3608	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	137
PID 4876 wrote to memory of 3608	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	137
PID 4876 wrote to memory of 4792	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	138
PID 4876 wrote to memory of 4792	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	138
PID 4876 wrote to memory of 3784	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	139
PID 4876 wrote to memory of 3784	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	139
PID 4876 wrote to memory of 1484	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	140
PID 4876 wrote to memory of 1484	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	140
PID 4876 wrote to memory of 2784	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	141
PID 4876 wrote to memory of 2784	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	141
PID 4876 wrote to memory of 700	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	142
PID 4876 wrote to memory of 700	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	142
PID 4876 wrote to memory of 4784	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	143
PID 4876 wrote to memory of 4784	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	143
PID 4876 wrote to memory of 4500	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	144
PID 4876 wrote to memory of 4500	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	144
PID 4876 wrote to memory of 468	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	145
PID 4876 wrote to memory of 468	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	145
PID 4876 wrote to memory of 1980	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	147
PID 4876 wrote to memory of 1980	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	147
PID 4876 wrote to memory of 3796	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	148
PID 4876 wrote to memory of 3796	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	148
PID 4876 wrote to memory of 2044	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	158
PID 4876 wrote to memory of 2044	4876	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe	158
PID 2044 wrote to memory of 3000	2044	cmd.exe	161
PID 2044 wrote to memory of 3000	2044	cmd.exe	161
PID 2044 wrote to memory of 1296	2044	cmd.exe	165
PID 2044 wrote to memory of 1296	2044	cmd.exe	165
PID 1296 wrote to memory of 1868	1296	fontdrvhost.exe	167
PID 1296 wrote to memory of 1868	1296	fontdrvhost.exe	167
PID 1296 wrote to memory of 4132	1296	fontdrvhost.exe	168
PID 1296 wrote to memory of 4132	1296	fontdrvhost.exe	168
PID 1296 wrote to memory of 4836	1296	fontdrvhost.exe	169
PID 1296 wrote to memory of 4836	1296	fontdrvhost.exe	169
PID 1296 wrote to memory of 4836	1296	fontdrvhost.exe	169
PID 4836 wrote to memory of 3268	4836	tmp35FF.tmp.exe	171
PID 4836 wrote to memory of 3268	4836	tmp35FF.tmp.exe	171
PID 4836 wrote to memory of 3268	4836	tmp35FF.tmp.exe	171
PID 4836 wrote to memory of 3268	4836	tmp35FF.tmp.exe	171
PID 4836 wrote to memory of 3268	4836	tmp35FF.tmp.exe	171
PID 4836 wrote to memory of 3268	4836	tmp35FF.tmp.exe	171
PID 4836 wrote to memory of 3268	4836	tmp35FF.tmp.exe	171
PID 1868 wrote to memory of 4268	1868	WScript.exe	175
PID 1868 wrote to memory of 4268	1868	WScript.exe	175
PID 4268 wrote to memory of 4792	4268	fontdrvhost.exe	177
PID 4268 wrote to memory of 4792	4268	fontdrvhost.exe	177
PID 4268 wrote to memory of 3540	4268	fontdrvhost.exe	178
PID 4268 wrote to memory of 3540	4268	fontdrvhost.exe	178
PID 4268 wrote to memory of 1720	4268	fontdrvhost.exe	179
PID 4268 wrote to memory of 1720	4268	fontdrvhost.exe	179
PID 4268 wrote to memory of 1720	4268	fontdrvhost.exe	179
PID 1720 wrote to memory of 3036	1720	tmp677F.tmp.exe	181
PID 1720 wrote to memory of 3036	1720	tmp677F.tmp.exe	181
PID 1720 wrote to memory of 3036	1720	tmp677F.tmp.exe	181

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

Processes:

fontdrvhost.exe5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe
"C:\Users\Admin\AppData\Local\Temp\5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4876
- C:\Users\Admin\AppData\Local\Temp\tmpECF2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpECF2.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Users\Admin\AppData\Local\Temp\tmpECF2.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpECF2.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WdPp5RTFGg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3000
- - C:\Program Files\7-Zip\Lang\fontdrvhost.exe
    "C:\Program Files\7-Zip\Lang\fontdrvhost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1296
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd098fef-9415-4a96-be54-44a8649c9b71.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Program Files\7-Zip\Lang\fontdrvhost.exe
        
        "C:\Program Files\7-Zip\Lang\fontdrvhost.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4268
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\577d4905-2fc3-49f5-9643-411058c045f5.vbs"
        6⤵
        
        PID:4792
        
        C:\Program Files\7-Zip\Lang\fontdrvhost.exe
        
        "C:\Program Files\7-Zip\Lang\fontdrvhost.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\414b98a9-002c-4f4b-bf07-68425e99de77.vbs"
        8⤵
        
        PID:1340
        
        C:\Program Files\7-Zip\Lang\fontdrvhost.exe
        
        "C:\Program Files\7-Zip\Lang\fontdrvhost.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41856dbd-a2bc-4216-a19a-bfce35d29d16.vbs"
        10⤵
        
        PID:5048
        
        C:\Program Files\7-Zip\Lang\fontdrvhost.exe
        
        "C:\Program Files\7-Zip\Lang\fontdrvhost.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1164a82c-5f89-4ede-ac0c-92fa357bd654.vbs"
        12⤵
        
        PID:3716
        
        C:\Program Files\7-Zip\Lang\fontdrvhost.exe
        
        "C:\Program Files\7-Zip\Lang\fontdrvhost.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34cb6732-22d2-4f42-900e-cd609d329eb2.vbs"
        14⤵
        
        PID:4564
        
        C:\Program Files\7-Zip\Lang\fontdrvhost.exe
        
        "C:\Program Files\7-Zip\Lang\fontdrvhost.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d227eeb6-91bd-43f4-8a3d-632fc26c664d.vbs"
        16⤵
        
        PID:4432
        
        C:\Program Files\7-Zip\Lang\fontdrvhost.exe
        
        "C:\Program Files\7-Zip\Lang\fontdrvhost.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\886a73ca-9e2f-439b-bfd4-e962ffb917d1.vbs"
        18⤵
        
        PID:4540
        
        C:\Program Files\7-Zip\Lang\fontdrvhost.exe
        
        "C:\Program Files\7-Zip\Lang\fontdrvhost.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d35cbc9b-1642-43bf-90e6-b93e61771946.vbs"
        20⤵
        
        PID:1572
        
        C:\Program Files\7-Zip\Lang\fontdrvhost.exe
        
        "C:\Program Files\7-Zip\Lang\fontdrvhost.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\073edec8-96dd-461b-88ac-f63141389fd9.vbs"
        22⤵
        
        PID:676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e99b5101-8803-42b7-850b-a7a7788151da.vbs"
        22⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp9E1B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9E1B.tmp.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp9E1B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9E1B.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp9E1B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9E1B.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67b4df0f-260d-4353-98e3-82ad760eb4d9.vbs"
        20⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\tmp81D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp81D8.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp81D8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp81D8.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa90ef42-93f4-47fe-8e9e-8a8b4d8f47d2.vbs"
        18⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp4FCC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4FCC.tmp.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp4FCC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4FCC.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp4FCC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4FCC.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec3eb69c-fa45-4294-b2cf-89beb586f165.vbs"
        16⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp32CE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp32CE.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\tmp32CE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp32CE.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\851508f2-ab9b-4ef2-b3d8-949cf4b39c0e.vbs"
        14⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmp100.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp100.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\tmp100.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp100.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b244965-dbdf-4555-bd8a-c4f14e40862a.vbs"
        12⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2339f03a-61d9-4a46-a9df-4589c9756095.vbs"
        10⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmpB35D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB35D.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmpB35D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB35D.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmpB35D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB35D.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06eca6c3-5376-46bc-b6b0-9f7ccc86c4b8.vbs"
        8⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp8325.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8325.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp8325.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8325.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:3820
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d911d289-1a8c-485d-9c90-0aee1314daba.vbs"
        6⤵
        
        PID:3540
      - C:\Users\Admin\AppData\Local\Temp\tmp677F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp677F.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp677F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp677F.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:3036
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c006aeb7-b548-4a3a-a16e-26078f3158be.vbs"
      4⤵
      PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\tmp35FF.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp35FF.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Users\Admin\AppData\Local\Temp\tmp35FF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp35FF.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\ShellComponents\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellComponents\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\ShellComponents\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellComponents\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Local Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\RCXFB12.tmp

Filesize
4.9MB

MD5
41411438636a43820c0d127118a5ac35

SHA1
d5c79a49cedaad7984334167a5f672f2b759430c

SHA256
e49f7089b5ef44205aa363a463266218ccb7750dc2414cd5a89bd81611011702

SHA512
717b9f6d50f07ff92bf6d92b854c44666e5968b5ac1296f792e3cf972770eff57309acd2ecb66cfaf93dfb97c81a6c77e39854ceafd78a35d80548194828201a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\1164a82c-5f89-4ede-ac0c-92fa357bd654.vbs

Filesize
719B

MD5
fccfeb433f34d5590fd0ab02d303def4

SHA1
aa754cb33ad0a961db3cd9e49bf2d53c7a9a762e

SHA256
11fe3bb1d49bb7b7320a0c22b679d014e056f59c6cbbff1e67eccb0f3dee7d4a

SHA512
47e1adac025e42e5850e371802e0cec5ecbfb654f63c6929670bdbe2be1ccb29e03ba065a6ede125ef061995d42e69f7443ac9c9b889dd4feb23a64671d876bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\34cb6732-22d2-4f42-900e-cd609d329eb2.vbs

Filesize
719B

MD5
ac5ac5f19bd0b5b98de6ea2d3beb039c

SHA1
d4a75c09d9d6b0f7a34c4821518907bec3d6f3b2

SHA256
9f8e92341e34f3720b4a9048add829f9ddedd1f2bca2b74fd188bb235f787fe9

SHA512
430f53668b23dce981c51dc449e4aba9473b2a108da73fca32b82f60900e224c32db12c86d1c7bffe3097ecfe6cf1da52962080e195aa3e35953fef2bfd6ca06

Download Submit
C:\Users\Admin\AppData\Local\Temp\414b98a9-002c-4f4b-bf07-68425e99de77.vbs

Filesize
719B

MD5
ebdedfa614907208c5126c3238448e29

SHA1
5332c178863607f3fc8e373653909310485b1ea9

SHA256
00872e64319f5d66d541aa0c5b924d47cc6b1481c234de26468799cada4afeb7

SHA512
d00ff3900e7d2c1e9bb45c8701af5555f65bc111a028dc128568e8d2264ebd4d93403c0610b26b54a227478be89de04319d6995052e42053da99b7b32a591436

Download Submit
C:\Users\Admin\AppData\Local\Temp\41856dbd-a2bc-4216-a19a-bfce35d29d16.vbs

Filesize
719B

MD5
f324d3d0039a70fe38d07b0d69c614c7

SHA1
604c5110d3d9fffeb247c08e621b9df16b4d84d6

SHA256
910684a09904490eeb5f23d7cf59b08751d5cafb71436db09ea13f6f2dba5bdc

SHA512
25e0e723174e3ccc08042cdd7807984ee908555152a6616d2682fbffb916dc0625fe39a30654aefa0412481980a92d0e286f88578f81fa429af2d40165cadd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\577d4905-2fc3-49f5-9643-411058c045f5.vbs

Filesize
719B

MD5
b215f3159cca895ca944af32e30c9df3

SHA1
6a604df810cebb2cefa7b4ccbad739b791de6b98

SHA256
89d74618603485369cfcd1cc56b24db7ecbc731c59d4fe93a8778e5080d394fc

SHA512
945f053b11b97952cd06767f3f3e699b11bab2971b5e2a7af9e4524e058e813e008a6fac1e4cae098029d85b52982667ab8fefbc5b790bf66c55dccae507c600

Download Submit
C:\Users\Admin\AppData\Local\Temp\WdPp5RTFGg.bat

Filesize
208B

MD5
54fde5fbaa4df8ce0d6c0e387766bf80

SHA1
fa27009b3b9a22b4baee323b58ff70cbed04f840

SHA256
923517de2d6c7053b60404ab3c061f5e2ead495da8f6f16ae1e53458bd61f43e

SHA512
6060fae5ba901c2c1952508356679eff7b36c5f97ac1be8d2522c1839ff10b5f086f654d4ea8a560fbe8b9544005b7406e9c062588ac55923257bfe397230d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_facvsj52.btr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c006aeb7-b548-4a3a-a16e-26078f3158be.vbs

Filesize
495B

MD5
fe887bc9a709a2ced6447ce5558c89e8

SHA1
d237e6b1bb2070ae9db58450715099f30080bf67

SHA256
d82882efdbc87436f0aba13dc3acf8fc13a444756dd69d04af902813445131be

SHA512
09436c4d0281fd9997c99a15c16a17f140c639ecbe37b5aafb392cc8e43650411b839deda2e316481d63dafb25267c0928963c772e682453e13ea327146aa14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d227eeb6-91bd-43f4-8a3d-632fc26c664d.vbs

Filesize
719B

MD5
b3b3dc2764b795bd028590f2f282baaf

SHA1
17c0169f28a0acdc53e7217cb241e41c49a7fefd

SHA256
06d4a102e5364ef84db3ed81a27ec0f9fa08f3f182ffecc3bc2660d9ae39a304

SHA512
a0afa07e501094bfc17893795c5af8d897bd30789bb734772b898581da21ae6eff85da3b421baf9a24fa0634762f075b496db354bb0a400961d1243e5e661bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd098fef-9415-4a96-be54-44a8649c9b71.vbs

Filesize
719B

MD5
15e5f84134557d76dec28a24bb42ab94

SHA1
ae8d66168105b0f25305bbfe645c2812fc313996

SHA256
3e3d27b077a7d485e1a0273ab994fe9eaee41ebad6970f1e9b167e0df0085405

SHA512
f9767d3b8385b41070dce4bbe55e6240da21556222559049095fb51cefad62a3f6d0e7e983cba6142b8f13c27a9b6164bb2bbd390b8d2e1fb0e919b2b5d02998

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpECF2.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Default\sppsvc.exe

Filesize
4.9MB

MD5
fbad13694fbd76b4a28785c6fa12af90

SHA1
35aca1ddefc9672625d9e94fd886810f30eea843

SHA256
5bb5b675e57095d6b0d8db6bb72107bfaa54c808d4e217511caf44540b08d4f2

SHA512
0e4ec2070b6fde55ea405611c7d8bc73520670608a6dc0e2f605c9a70c96bfa44135f988c7c1c29d20f0a1edd0390e056d9e6d6401d4a8aefee0fa96e1cb447b

Download Submit
memory/2868-79-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3796-205-0x000001CFE7480000-0x000001CFE74A2000-memory.dmp

Filesize
136KB

Download
memory/4348-511-0x000000001C9E0000-0x000000001C9F2000-memory.dmp

Filesize
72KB

Download
memory/4876-16-0x000000001C9D0000-0x000000001C9D8000-memory.dmp

Filesize
32KB

Download
memory/4876-18-0x000000001C9F0000-0x000000001C9FC000-memory.dmp

Filesize
48KB

Download
memory/4876-153-0x00007FFEC1130000-0x00007FFEC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-140-0x00007FFEC1133000-0x00007FFEC1135000-memory.dmp

Filesize
8KB

Download
memory/4876-7-0x000000001C2E0000-0x000000001C2F0000-memory.dmp

Filesize
64KB

Download
memory/4876-5-0x000000001C960000-0x000000001C9B0000-memory.dmp

Filesize
320KB

Download
memory/4876-4-0x000000001C080000-0x000000001C09C000-memory.dmp

Filesize
112KB

Download
memory/4876-3-0x000000001C1B0000-0x000000001C2DE000-memory.dmp

Filesize
1.2MB

Download
memory/4876-2-0x00007FFEC1130000-0x00007FFEC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-1-0x0000000000F60000-0x0000000001454000-memory.dmp

Filesize
5.0MB

Download
memory/4876-17-0x000000001C9E0000-0x000000001C9E8000-memory.dmp

Filesize
32KB

Download
memory/4876-187-0x00007FFEC1130000-0x00007FFEC1BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4876-6-0x00000000034F0000-0x00000000034F8000-memory.dmp

Filesize
32KB

Download
memory/4876-13-0x000000001C340000-0x000000001C34A000-memory.dmp

Filesize
40KB

Download
memory/4876-0-0x00007FFEC1133000-0x00007FFEC1135000-memory.dmp

Filesize
8KB

Download
memory/4876-14-0x000000001C9B0000-0x000000001C9BE000-memory.dmp

Filesize
56KB

Download
memory/4876-15-0x000000001C9C0000-0x000000001C9CE000-memory.dmp

Filesize
56KB

Download
memory/4876-12-0x000000001CEE0000-0x000000001D408000-memory.dmp

Filesize
5.2MB

Download
memory/4876-11-0x000000001C330000-0x000000001C342000-memory.dmp

Filesize
72KB

Download
memory/4876-10-0x000000001C320000-0x000000001C32A000-memory.dmp

Filesize
40KB

Download
memory/4876-9-0x000000001C310000-0x000000001C320000-memory.dmp

Filesize
64KB

Download
memory/4876-8-0x000000001C2F0000-0x000000001C306000-memory.dmp

Filesize
88KB

Download