colibri | 66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Size

4.9MB
MD5

82301881d8e1da67e88f7a2de51323e3
SHA1

c9e273ef20eeb06b51919a37abaa4fa0b2f76ee5
SHA256

66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c
SHA512

b7b66dbadcff31c0bbb9fd2eb33f1aadb30ec77e26c8db3dc275e3003bc2480dcc829b920a22e71668720e0852ef631746c4a0a0ec7294e47a010d9cc09197ad
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	1860	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1860	schtasks.exe	86

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3244-3-0x000000001C210000-0x000000001C33E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
964	powershell.exe
1028	powershell.exe
4700	powershell.exe
640	powershell.exe
3512	powershell.exe
4168	powershell.exe
1664	powershell.exe
1516	powershell.exe
2360	powershell.exe
3328	powershell.exe
4448	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 44 IoCs

pid	Process
5064	tmpB344.tmp.exe
4940	tmpB344.tmp.exe
4464	tmpB344.tmp.exe
1140	smss.exe
2184	tmpE83D.tmp.exe
812	tmpE83D.tmp.exe
4736	smss.exe
744	tmp1B24.tmp.exe
3388	tmp1B24.tmp.exe
1168	smss.exe
1720	tmp4B0E.tmp.exe
3696	tmp4B0E.tmp.exe
2420	smss.exe
3412	smss.exe
1308	tmp9834.tmp.exe
4056	tmp9834.tmp.exe
1100	smss.exe
548	tmpB438.tmp.exe
3296	tmpB438.tmp.exe
4168	smss.exe
3212	tmpD107.tmp.exe
232	tmpD107.tmp.exe
3852	smss.exe
2608	tmpECDC.tmp.exe
3416	tmpECDC.tmp.exe
3692	smss.exe
1000	tmp1D52.tmp.exe
1636	tmp1D52.tmp.exe
3092	tmp1D52.tmp.exe
2616	smss.exe
4640	tmp3908.tmp.exe
1196	tmp3908.tmp.exe
2912	smss.exe
1492	tmp6817.tmp.exe
4848	tmp6817.tmp.exe
4944	smss.exe
3612	tmp982F.tmp.exe
3968	tmp982F.tmp.exe
4428	smss.exe
4324	tmpC857.tmp.exe
4420	tmpC857.tmp.exe
592	smss.exe
2536	tmpE40D.tmp.exe
388	tmpE40D.tmp.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 4940 set thread context of 4464	4940	tmpB344.tmp.exe	141
PID 2184 set thread context of 812	2184	tmpE83D.tmp.exe	169
PID 744 set thread context of 3388	744	tmp1B24.tmp.exe	176
PID 1720 set thread context of 3696	1720	tmp4B0E.tmp.exe	183
PID 1308 set thread context of 4056	1308	tmp9834.tmp.exe	192
PID 548 set thread context of 3296	548	tmpB438.tmp.exe	198
PID 3212 set thread context of 232	3212	tmpD107.tmp.exe	204
PID 2608 set thread context of 3416	2608	tmpECDC.tmp.exe	210
PID 1636 set thread context of 3092	1636	tmp1D52.tmp.exe	217
PID 4640 set thread context of 1196	4640	tmp3908.tmp.exe	223
PID 1492 set thread context of 4848	1492	tmp6817.tmp.exe	229
PID 3612 set thread context of 3968	3612	tmp982F.tmp.exe	235
PID 4324 set thread context of 4420	4324	tmpC857.tmp.exe	241
PID 2536 set thread context of 388	2536	tmpE40D.tmp.exe	247

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\0a1fd5f707cd16	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files\Windows Portable Devices\66fc9ff0ee96c2	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\c5b4cb5e9653cc	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files (x86)\Windows Portable Devices\upfc.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC753.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXB1AD.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files\7-Zip\RCXBC81.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXC9D5.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXD070.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\upfc.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ea1d8f6d871115	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files\7-Zip\smss.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\sihost.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files\7-Zip\Lang\sppsvc.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sppsvc.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files\7-Zip\69ddcba757bf72	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files\Windows Portable Devices\sihost.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Program Files\7-Zip\smss.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\wininit.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\ShellComponents\csrss.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\Downloaded Program Files\wininit.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCXCE5B.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\IdentityCRL\INT\fontdrvhost.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\Sun\RCXCC57.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\Sun\sppsvc.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\ShellComponents\RuntimeBroker.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\IdentityCRL\INT\fontdrvhost.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\Sun\0a1fd5f707cd16	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXC53F.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\ShellComponents\886983d96e3d3e	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\ShellComponents\csrss.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\ShellComponents\RCXB5D7.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\ea1d8f6d871115	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\Sun\sppsvc.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\Downloaded Program Files\56085415360792	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\ShellComponents\RCXB3C2.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\ShellComponents\RuntimeBroker.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\ShellComponents\9e8d7a4ca61bd9	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\IdentityCRL\INT\5b884080fd4f94	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\upfc.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\IdentityCRL\INT\RCXC2BE.tmp	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\upfc.exe	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9834.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB438.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpECDC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC857.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE40D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4B0E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1D52.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3908.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6817.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp982F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB344.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE83D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1D52.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB344.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1B24.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD107.tmp.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4108	schtasks.exe
924	schtasks.exe
3256	schtasks.exe
3600	schtasks.exe
3100	schtasks.exe
3412	schtasks.exe
760	schtasks.exe
928	schtasks.exe
4272	schtasks.exe
976	schtasks.exe
1216	schtasks.exe
4728	schtasks.exe
3448	schtasks.exe
4668	schtasks.exe
2300	schtasks.exe
4364	schtasks.exe
336	schtasks.exe
3772	schtasks.exe
964	schtasks.exe
1220	schtasks.exe
1728	schtasks.exe
5048	schtasks.exe
3252	schtasks.exe
4060	schtasks.exe
2500	schtasks.exe
1688	schtasks.exe
4264	schtasks.exe
2548	schtasks.exe
4244	schtasks.exe
3948	schtasks.exe
1928	schtasks.exe
2020	schtasks.exe
1996	schtasks.exe
3272	schtasks.exe
1500	schtasks.exe
3708	schtasks.exe
4420	schtasks.exe
3144	schtasks.exe
3472	schtasks.exe
3696	schtasks.exe
1772	schtasks.exe
528	schtasks.exe
4700	schtasks.exe
3856	schtasks.exe
2360	schtasks.exe
3640	schtasks.exe
2624	schtasks.exe
2896	schtasks.exe
4392	schtasks.exe
224	schtasks.exe
2276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
640	powershell.exe
640	powershell.exe
2360	powershell.exe
2360	powershell.exe
3512	powershell.exe
3512	powershell.exe
1516	powershell.exe
1516	powershell.exe
3328	powershell.exe
3328	powershell.exe
1664	powershell.exe
1664	powershell.exe
1028	powershell.exe
1028	powershell.exe
964	powershell.exe
964	powershell.exe
4700	powershell.exe
4700	powershell.exe
4168	powershell.exe
4168	powershell.exe
640	powershell.exe
4448	powershell.exe
4448	powershell.exe
2360	powershell.exe
3512	powershell.exe
3328	powershell.exe
1516	powershell.exe
1028	powershell.exe
4700	powershell.exe
1664	powershell.exe
4448	powershell.exe
964	powershell.exe
4168	powershell.exe
1140	smss.exe
4736	smss.exe
1168	smss.exe
2420	smss.exe
3412	smss.exe
1100	smss.exe
4168	smss.exe
3852	smss.exe
3692	smss.exe
2616	smss.exe
2912	smss.exe
4944	smss.exe
4428	smss.exe
592	smss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	1140	smss.exe
Token: SeDebugPrivilege	4736	smss.exe
Token: SeDebugPrivilege	1168	smss.exe
Token: SeDebugPrivilege	2420	smss.exe
Token: SeDebugPrivilege	3412	smss.exe
Token: SeDebugPrivilege	1100	smss.exe
Token: SeDebugPrivilege	4168	smss.exe
Token: SeDebugPrivilege	3852	smss.exe
Token: SeDebugPrivilege	3692	smss.exe
Token: SeDebugPrivilege	2616	smss.exe
Token: SeDebugPrivilege	2912	smss.exe
Token: SeDebugPrivilege	4944	smss.exe
Token: SeDebugPrivilege	4428	smss.exe
Token: SeDebugPrivilege	592	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 5064	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	138
PID 3244 wrote to memory of 5064	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	138
PID 3244 wrote to memory of 5064	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	138
PID 5064 wrote to memory of 4940	5064	tmpB344.tmp.exe	140
PID 5064 wrote to memory of 4940	5064	tmpB344.tmp.exe	140
PID 5064 wrote to memory of 4940	5064	tmpB344.tmp.exe	140
PID 4940 wrote to memory of 4464	4940	tmpB344.tmp.exe	141
PID 4940 wrote to memory of 4464	4940	tmpB344.tmp.exe	141
PID 4940 wrote to memory of 4464	4940	tmpB344.tmp.exe	141
PID 4940 wrote to memory of 4464	4940	tmpB344.tmp.exe	141
PID 4940 wrote to memory of 4464	4940	tmpB344.tmp.exe	141
PID 4940 wrote to memory of 4464	4940	tmpB344.tmp.exe	141
PID 4940 wrote to memory of 4464	4940	tmpB344.tmp.exe	141
PID 3244 wrote to memory of 4448	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	142
PID 3244 wrote to memory of 4448	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	142
PID 3244 wrote to memory of 1664	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	143
PID 3244 wrote to memory of 1664	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	143
PID 3244 wrote to memory of 964	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	144
PID 3244 wrote to memory of 964	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	144
PID 3244 wrote to memory of 1516	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	145
PID 3244 wrote to memory of 1516	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	145
PID 3244 wrote to memory of 2360	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	146
PID 3244 wrote to memory of 2360	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	146
PID 3244 wrote to memory of 1028	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	147
PID 3244 wrote to memory of 1028	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	147
PID 3244 wrote to memory of 3328	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	148
PID 3244 wrote to memory of 3328	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	148
PID 3244 wrote to memory of 4700	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	149
PID 3244 wrote to memory of 4700	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	149
PID 3244 wrote to memory of 640	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	150
PID 3244 wrote to memory of 640	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	150
PID 3244 wrote to memory of 3512	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	151
PID 3244 wrote to memory of 3512	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	151
PID 3244 wrote to memory of 4168	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	152
PID 3244 wrote to memory of 4168	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	152
PID 3244 wrote to memory of 1140	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	164
PID 3244 wrote to memory of 1140	3244	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe	164
PID 1140 wrote to memory of 1000	1140	smss.exe	165
PID 1140 wrote to memory of 1000	1140	smss.exe	165
PID 1140 wrote to memory of 2228	1140	smss.exe	166
PID 1140 wrote to memory of 2228	1140	smss.exe	166
PID 1140 wrote to memory of 2184	1140	smss.exe	167
PID 1140 wrote to memory of 2184	1140	smss.exe	167
PID 1140 wrote to memory of 2184	1140	smss.exe	167
PID 2184 wrote to memory of 812	2184	tmpE83D.tmp.exe	169
PID 2184 wrote to memory of 812	2184	tmpE83D.tmp.exe	169
PID 2184 wrote to memory of 812	2184	tmpE83D.tmp.exe	169
PID 2184 wrote to memory of 812	2184	tmpE83D.tmp.exe	169
PID 2184 wrote to memory of 812	2184	tmpE83D.tmp.exe	169
PID 2184 wrote to memory of 812	2184	tmpE83D.tmp.exe	169
PID 2184 wrote to memory of 812	2184	tmpE83D.tmp.exe	169
PID 1000 wrote to memory of 4736	1000	WScript.exe	170
PID 1000 wrote to memory of 4736	1000	WScript.exe	170
PID 4736 wrote to memory of 4492	4736	smss.exe	171
PID 4736 wrote to memory of 4492	4736	smss.exe	171
PID 4736 wrote to memory of 3952	4736	smss.exe	172
PID 4736 wrote to memory of 3952	4736	smss.exe	172
PID 4736 wrote to memory of 744	4736	smss.exe	174
PID 4736 wrote to memory of 744	4736	smss.exe	174
PID 4736 wrote to memory of 744	4736	smss.exe	174
PID 744 wrote to memory of 3388	744	tmp1B24.tmp.exe	176
PID 744 wrote to memory of 3388	744	tmp1B24.tmp.exe	176
PID 744 wrote to memory of 3388	744	tmp1B24.tmp.exe	176
PID 744 wrote to memory of 3388	744	tmp1B24.tmp.exe	176

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe
"C:\Users\Admin\AppData\Local\Temp\66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3244
- C:\Users\Admin\AppData\Local\Temp\tmpB344.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB344.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\tmpB344.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpB344.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\tmpB344.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB344.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Program Files\7-Zip\smss.exe
  "C:\Program Files\7-Zip\smss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1140
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3195153-4d7f-49f4-bf15-2c3a6be038ee.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Program Files\7-Zip\smss.exe
      "C:\Program Files\7-Zip\smss.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4736
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab417e08-4746-44f9-9258-e0db54cd6903.vbs"
        5⤵
        
        PID:4492
      - C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55211356-fee3-42a5-be86-fff4aa5b9117.vbs"
        7⤵
        
        PID:212
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da195bc1-7eed-4507-8caf-2b3aa9c670ed.vbs"
        9⤵
        
        PID:3324
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bace9076-a44c-449e-903b-0cdb11e41633.vbs"
        11⤵
        
        PID:264
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3254342-e201-4e5c-83e2-39fa4cc753aa.vbs"
        13⤵
        
        PID:1500
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c1ced5f-0ffd-4bf7-8dad-bcd88252db38.vbs"
        15⤵
        
        PID:1664
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3be1f5ef-1010-4b49-b1b7-c76834d1bbe2.vbs"
        17⤵
        
        PID:4624
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42875511-6058-4cc4-8749-ec47b18bb146.vbs"
        19⤵
        
        PID:4056
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8702501e-3eac-4169-a9a3-b7b6def26b2f.vbs"
        21⤵
        
        PID:2928
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61b7ab6e-838e-41aa-8754-08b14c523913.vbs"
        23⤵
        
        PID:2516
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5afb0935-0c15-444f-8d80-afaf1b78a065.vbs"
        25⤵
        
        PID:3280
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d7138a5-b944-487c-b05d-8ebfae143293.vbs"
        27⤵
        
        PID:2020
        
        C:\Program Files\7-Zip\smss.exe
        
        "C:\Program Files\7-Zip\smss.exe"
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f46fd1c2-233b-4b85-83d7-a104d3a707cf.vbs"
        29⤵
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b1ad1c1-7d8a-4700-9cbf-d718de8f1654.vbs"
        29⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmpE40D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE40D.tmp.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\tmpE40D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE40D.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\090d9462-a5ba-46cf-8c6e-350df78d1176.vbs"
        27⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmpC857.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC857.tmp.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmpC857.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC857.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ac58f38-a09e-44e0-9045-7d87bd6d0fbb.vbs"
        25⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp982F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp982F.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp982F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp982F.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8541ec41-091a-49b2-b669-47bba0cb38c2.vbs"
        23⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp6817.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6817.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp6817.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6817.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68d909c1-cd54-4013-92c2-4e0788c61ec8.vbs"
        21⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp3908.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3908.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp3908.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3908.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6b34357-1d78-48e1-9665-1de382c3c4eb.vbs"
        19⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp1D52.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1D52.tmp.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp1D52.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1D52.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp1D52.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1D52.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f41ae953-7bae-4383-8917-692d888dafd0.vbs"
        17⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpECDC.tmp.exe"
        18⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7d1dc4a-406a-4462-98e5-66c339affccd.vbs"
        15⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmpD107.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD107.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmpD107.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD107.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f5b1772-ae4b-4588-afd5-73754a1ccee3.vbs"
        13⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmpB438.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB438.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmpB438.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB438.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77d94ee7-fcf6-4bb3-a6df-fdb28a149649.vbs"
        11⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp9834.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9834.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp9834.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9834.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83d47f84-2e24-4ce7-be9e-3c7176f56eb0.vbs"
        9⤵
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c5dd193-10ca-46d3-bca2-6e5cb04e454b.vbs"
        7⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4B0E.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:3696
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49e9be7a-9b7b-4e86-ab5d-84d119259c5a.vbs"
        5⤵
        
        PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\tmp1B24.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1B24.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\tmp1B24.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1B24.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:3388
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a802803-0e83-4353-99f5-b692ec226e85.vbs"
    3⤵
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\tmpE83D.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpE83D.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\tmpE83D.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE83D.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ShellComponents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellComponents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellComponents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Sun\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Sun\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\upfc.exe

Filesize
4.9MB

MD5
feffe4abeeb5340677faea81bb293f59

SHA1
7675c30cf29b8793b8de4f814e0d52ecedd4123d

SHA256
b44944f949ac0d023b818fdc46e1da9aab27a1c75bea57aeebf1a3007d202556

SHA512
012cf06606ab38288eab03917e5644ccab4f7e0f37db83618d25a9a25c18eba2b687cc6dc23c0bf055142c23213270fb396a3e9b77ef98e763f5c1b8589e49ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\3be1f5ef-1010-4b49-b1b7-c76834d1bbe2.vbs

Filesize
707B

MD5
5a9cb2050435cedd7263896937314ba3

SHA1
77d4684c7d496d2dc5995598d139b2d0a08f1fae

SHA256
563839ec868d8d8391f88b325070e08858696d05b31e0a947ca47dd23b295b27

SHA512
c15aa93ad05b8f01a5dbaeea8406a060681a73ec91037f7decac81ff6384a0ea9dd6fb1e3f9048cc2a12a0d7ae2379abd0e7523a494d412e9d51d60333e15d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a802803-0e83-4353-99f5-b692ec226e85.vbs

Filesize
483B

MD5
ba7adf64dd9c2158a45951e37e64060e

SHA1
62d39f8c83ee0974f66b8c4384a984c7d9dc346b

SHA256
983984f332ef95b2f509ecbd8bb5b8741793bc6b3526bc65a6db142d7f5e178a

SHA512
cac4f5e61479587f943f9f7206f0cd18b97ad98eac7fece9d87e5e1aa47be3b470e9e5eabd3061341adee145893cf0d22e29b720dde45f707bc49d6c6dff126e

Download Submit
C:\Users\Admin\AppData\Local\Temp\55211356-fee3-42a5-be86-fff4aa5b9117.vbs

Filesize
707B

MD5
02da01f43668607a7a0156e07de6b7d0

SHA1
df18c7637ecd14949a55c1b44d4f4fcccc7fac31

SHA256
d29b0043129a27dce035b4776ddf1205224d15ec5752cb5f079840b4fd8094c8

SHA512
01fce713a614a0c0cda9022a268ae17061eac38367f1e7e17e88bcbd93d02a4002ad522b3166abad6006ea915118163fd485dc94d8882370fbbbd8766b3c5f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c1ced5f-0ffd-4bf7-8dad-bcd88252db38.vbs

Filesize
707B

MD5
5ea2fbdcec82b8fbf1a9340a973da78d

SHA1
98773bc389387975e52a3d06a08853de3a595942

SHA256
e8afa29c336725fc5f3668676fc38a7b17d3e92073753e1081e8dda35bd8b9a5

SHA512
3527bc4944a63824079f55e291d4c08920fdfa1e6e8d09dc484d083a81f78d39ed5f42bd48ccfe88a08f1f7352f82a6235d63080e5b6e3cc48ba6ee0a28295c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mkraz4em.vrf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3254342-e201-4e5c-83e2-39fa4cc753aa.vbs

Filesize
707B

MD5
f494508d54f73ad2edd645709a209b2d

SHA1
24940a9c6c016741892aec8bbef2209d428a6955

SHA256
a62e19551530de609b53cc6ec7470c2800e02d256bace2c858911619cb39dabe

SHA512
b016f4263c4e936aade4ab0be9c77e51e26b7604cb6abf6b1d2d2e8d250fbd94f1e68ee45c08a20c9d620b6b2e619601b6448354948f5ccc9962983dbb2f2d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab417e08-4746-44f9-9258-e0db54cd6903.vbs

Filesize
707B

MD5
8688f33736a109794b531c598cd04d15

SHA1
e4f7871d47c79cd46c4d1ad36194ea6f70a2a4e2

SHA256
126646a1c352928bcee14b9a46dd639a383e2d4741794c212facf0158e38978a

SHA512
77b69940dc244a33d57a64ba6ce45b494bc656b75d04a8e78e856f5ea129529a7a4e4e4f05f0a67a34e5119182368dfbc7f0333480162630b0884ab42338042a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bace9076-a44c-449e-903b-0cdb11e41633.vbs

Filesize
707B

MD5
09094d5482527be0c8ba004e93b5842e

SHA1
106747537fdfbdb1add32fbc461fc9e8b633ece8

SHA256
741b10481eb4aca2d7df7281445fab6857c8b2f4302c3f431be46dc6bc8f82d6

SHA512
e46f4d3ebb491d520004051abaaefb11c7f34d24176986581c491591eef52bef6f612e570a863cf8f8141785f987a1c402e8da8b0910d7206d648d027cda3709

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3195153-4d7f-49f4-bf15-2c3a6be038ee.vbs

Filesize
707B

MD5
9deef255f83f295e81e6b7d20570777a

SHA1
933d86f338f1f255f8785ecddf3d4eb12c6700a1

SHA256
e61514a15b80fbfb5100f52dbce5b4c67e0586aa60d1b5047fecc79547b074b0

SHA512
c670719d216050f0a9da5f5a35ab5608600807e78de20c507291b4e6100a6a582081a8a2420ecafc6239321d2fb9b484fa029068b9d18c04afa51585c66f28dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\da195bc1-7eed-4507-8caf-2b3aa9c670ed.vbs

Filesize
707B

MD5
54562b706e90e7ea48f820c47519ef6f

SHA1
a9a364f0b81d9b3f02f0d9497d99c048b13274f0

SHA256
edc41d61fa5a5969721bc6783e26ffce6a23be6b78d1e55bef718e8b3b2601c0

SHA512
e6dbf7cdb2131f6ce9f22f9c175656fc496019daf0755311573adad15988bda77fcfdc0b82789a1e3d8ed9079a09b0d72ed4ee78b69a1e21bd658f3f02f5d269

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB344.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Default\OfficeClickToRun.exe

Filesize
4.9MB

MD5
82301881d8e1da67e88f7a2de51323e3

SHA1
c9e273ef20eeb06b51919a37abaa4fa0b2f76ee5

SHA256
66b9667af235ce28b4744470d9b1430366febabd3517f1f7a99edfa2053fc40c

SHA512
b7b66dbadcff31c0bbb9fd2eb33f1aadb30ec77e26c8db3dc275e3003bc2480dcc829b920a22e71668720e0852ef631746c4a0a0ec7294e47a010d9cc09197ad

Download Submit
C:\Windows\Downloaded Program Files\RCXCE5B.tmp

Filesize
4.9MB

MD5
5038c62223e791bccce3c3dedb166698

SHA1
362bf86ab2adda28327686e7c0a2904dab1a4fe6

SHA256
64deee2e984a187c921745432117943ef8feb79152e8606eb867fc115098db42

SHA512
c3ae4a4341be7aca10cb300d7330136d71055ff39480c090cabb1edcb01cbfb7f9bcb383353c3ee279e905ad92a80ad98c633c30b709fe645efd45a6ade2ae1e

Download Submit
memory/592-622-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/2616-557-0x000000001C5F0000-0x000000001C602000-memory.dmp

Filesize
72KB

Download
memory/3244-11-0x000000001C970000-0x000000001C982000-memory.dmp

Filesize
72KB

Download
memory/3244-0-0x00007FFF96F53000-0x00007FFF96F55000-memory.dmp

Filesize
8KB

Download
memory/3244-1-0x0000000000F80000-0x0000000001474000-memory.dmp

Filesize
5.0MB

Download
memory/3244-165-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/3244-18-0x000000001CB20000-0x000000001CB2C000-memory.dmp

Filesize
48KB

Download
memory/3244-17-0x000000001CA10000-0x000000001CA18000-memory.dmp

Filesize
32KB

Download
memory/3244-2-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/3244-346-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/3244-16-0x000000001CA00000-0x000000001CA08000-memory.dmp

Filesize
32KB

Download
memory/3244-13-0x000000001C980000-0x000000001C98A000-memory.dmp

Filesize
40KB

Download
memory/3244-14-0x000000001C990000-0x000000001C99E000-memory.dmp

Filesize
56KB

Download
memory/3244-15-0x000000001C9A0000-0x000000001C9AE000-memory.dmp

Filesize
56KB

Download
memory/3244-12-0x000000001CF30000-0x000000001D458000-memory.dmp

Filesize
5.2MB

Download
memory/3244-150-0x00007FFF96F53000-0x00007FFF96F55000-memory.dmp

Filesize
8KB

Download
memory/3244-10-0x000000001C960000-0x000000001C96A000-memory.dmp

Filesize
40KB

Download
memory/3244-8-0x000000001C1E0000-0x000000001C1F6000-memory.dmp

Filesize
88KB

Download
memory/3244-9-0x000000001C340000-0x000000001C350000-memory.dmp

Filesize
64KB

Download
memory/3244-6-0x00000000037B0000-0x00000000037B8000-memory.dmp

Filesize
32KB

Download
memory/3244-7-0x000000001C1D0000-0x000000001C1E0000-memory.dmp

Filesize
64KB

Download
memory/3244-5-0x000000001C9B0000-0x000000001CA00000-memory.dmp

Filesize
320KB

Download
memory/3244-4-0x0000000003790000-0x00000000037AC000-memory.dmp

Filesize
112KB

Download
memory/3244-3-0x000000001C210000-0x000000001C33E000-memory.dmp

Filesize
1.2MB

Download
memory/3512-253-0x0000023B40B40000-0x0000023B40B62000-memory.dmp

Filesize
136KB

Download
memory/3852-520-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/4464-82-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download