colibri | 3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Size

4.9MB
MD5

a6c4e2d077ec90e6c69325b0da5adb1b
SHA1

945d07aac7c54ca5560ba5cb1e05b0e6c25f8a0d
SHA256

3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14
SHA512

d0fb442b6b0b846193a63abd8cf7084de8c435a7670a6065edd720464897af8ea969f7d452c99457075d9ac06b05e27623fd992b76cf9d26885d8e91ad9ea918
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	2560	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2560	schtasks.exe	86

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1100-2-0x000000001C000000-0x000000001C12E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3152	powershell.exe
1348	powershell.exe
316	powershell.exe
2564	powershell.exe
4500	powershell.exe
2932	powershell.exe
4304	powershell.exe
1664	powershell.exe
64	powershell.exe
440	powershell.exe
3016	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 45 IoCs

pid	Process
3332	tmp9ED2.tmp.exe
1924	tmp9ED2.tmp.exe
4020	tmp9ED2.tmp.exe
2060	services.exe
2652	tmpEA50.tmp.exe
316	tmpEA50.tmp.exe
3556	tmpEA50.tmp.exe
3704	tmpEA50.tmp.exe
812	tmpEA50.tmp.exe
3764	services.exe
1976	tmp75E.tmp.exe
448	tmp75E.tmp.exe
216	services.exe
1596	services.exe
812	tmp3F08.tmp.exe
4612	tmp3F08.tmp.exe
1812	services.exe
3764	tmp5BE6.tmp.exe
5024	tmp5BE6.tmp.exe
1120	tmp5BE6.tmp.exe
1976	tmp5BE6.tmp.exe
4944	services.exe
1388	tmp8C7C.tmp.exe
452	tmp8C7C.tmp.exe
3532	services.exe
1884	tmpA8ED.tmp.exe
964	tmpA8ED.tmp.exe
2900	services.exe
2280	tmpDA0F.tmp.exe
2288	tmpDA0F.tmp.exe
4812	services.exe
2644	services.exe
4708	tmp25ED.tmp.exe
1000	tmp25ED.tmp.exe
1336	services.exe
1028	tmp4164.tmp.exe
2124	tmp4164.tmp.exe
1564	services.exe
2000	tmp71EA.tmp.exe
1808	tmp71EA.tmp.exe
1716	tmp71EA.tmp.exe
3708	services.exe
3584	tmpB5D9.tmp.exe
2196	tmpB5D9.tmp.exe
1580	services.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 4020	1924	tmp9ED2.tmp.exe	147
PID 3704 set thread context of 812	3704	tmpEA50.tmp.exe	184
PID 1976 set thread context of 448	1976	tmp75E.tmp.exe	196
PID 812 set thread context of 4612	812	tmp3F08.tmp.exe	210
PID 1120 set thread context of 1976	1120	tmp5BE6.tmp.exe	221
PID 1388 set thread context of 452	1388	tmp8C7C.tmp.exe	230
PID 1884 set thread context of 964	1884	tmpA8ED.tmp.exe	240
PID 2280 set thread context of 2288	2280	tmpDA0F.tmp.exe	250
PID 4708 set thread context of 1000	4708	tmp25ED.tmp.exe	264
PID 1028 set thread context of 2124	1028	tmp4164.tmp.exe	274
PID 1808 set thread context of 1716	1808	tmp71EA.tmp.exe	284
PID 3584 set thread context of 2196	3584	tmpB5D9.tmp.exe	293

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\RCXAC65.tmp	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\System.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\27d1bcfc3c54e0	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Program Files\Crashpad\attachments\sysmon.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Program Files\Google\6ccacd8608530f	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXA7CF.tmp	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Program Files\Google\Idle.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXB08D.tmp	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\System.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Program Files\Crashpad\attachments\sysmon.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Program Files\Crashpad\attachments\121e5b5079f7c0	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Program Files\Google\Idle.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\IME\fr-FR\spoolsv.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Windows\SystemResources\Microsoft.Windows.SecHealthUI\pris\eddb19405b7ce1	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Windows\System\spoolsv.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Windows\IME\fr-FR\f3b6ecef712a24	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Windows\System\f3b6ecef712a24	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\38384e6a620884	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Windows\ShellComponents\StartMenuExperienceHost.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Windows\IME\fr-FR\RCXB4B6.tmp	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Windows\RemotePackages\RemoteDesktops\RCXBAE3.tmp	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Windows\ShellComponents\StartMenuExperienceHost.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Windows\SystemResources\Microsoft.Windows.SecHealthUI\pris\backgroundTaskHost.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Windows\System\spoolsv.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File created	C:\Windows\ShellComponents\55b276f4edf653	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Windows\SystemResources\Microsoft.Windows.SecHealthUI\pris\RCX9D5A.tmp	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Windows\System\RCXA1A3.tmp	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Windows\IME\fr-FR\spoolsv.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Windows\ShellComponents\RCXC3FE.tmp	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
File opened for modification	C:\Windows\SystemResources\Microsoft.Windows.SecHealthUI\pris\backgroundTaskHost.exe	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB5D9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEA50.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA8ED.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp71EA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp71EA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEA50.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp25ED.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4164.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp75E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5BE6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8C7C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDA0F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3F08.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5BE6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5BE6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9ED2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9ED2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEA50.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEA50.tmp.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
860	schtasks.exe
4900	schtasks.exe
4044	schtasks.exe
1864	schtasks.exe
3572	schtasks.exe
696	schtasks.exe
468	schtasks.exe
3712	schtasks.exe
4680	schtasks.exe
4500	schtasks.exe
4744	schtasks.exe
3612	schtasks.exe
4556	schtasks.exe
4504	schtasks.exe
3328	schtasks.exe
3248	schtasks.exe
3160	schtasks.exe
4620	schtasks.exe
3772	schtasks.exe
3096	schtasks.exe
3528	schtasks.exe
2688	schtasks.exe
316	schtasks.exe
452	schtasks.exe
640	schtasks.exe
4032	schtasks.exe
4292	schtasks.exe
4936	schtasks.exe
64	schtasks.exe
3200	schtasks.exe
3520	schtasks.exe
1032	schtasks.exe
1552	schtasks.exe
4376	schtasks.exe
4892	schtasks.exe
3616	schtasks.exe
1536	schtasks.exe
3596	schtasks.exe
1740	schtasks.exe
1684	schtasks.exe
3224	schtasks.exe
1164	schtasks.exe
1676	schtasks.exe
432	schtasks.exe
1580	schtasks.exe
3236	schtasks.exe
3568	schtasks.exe
1596	schtasks.exe
4388	schtasks.exe
3172	schtasks.exe
4856	schtasks.exe
3016	schtasks.exe
2932	schtasks.exe
3992	schtasks.exe
428	schtasks.exe
3324	schtasks.exe
1328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
3152	powershell.exe
3152	powershell.exe
316	powershell.exe
316	powershell.exe
4500	powershell.exe
4500	powershell.exe
1348	powershell.exe
1348	powershell.exe
1664	powershell.exe
1664	powershell.exe
440	powershell.exe
440	powershell.exe
64	powershell.exe
64	powershell.exe
2564	powershell.exe
2564	powershell.exe
3016	powershell.exe
3016	powershell.exe
4304	powershell.exe
4304	powershell.exe
2932	powershell.exe
2932	powershell.exe
316	powershell.exe
3152	powershell.exe
1664	powershell.exe
64	powershell.exe
4500	powershell.exe
1348	powershell.exe
4304	powershell.exe
440	powershell.exe
3016	powershell.exe
2932	powershell.exe
2564	powershell.exe
2060	services.exe
3764	services.exe
216	services.exe
1596	services.exe
1812	services.exe
4944	services.exe
3532	services.exe
2900	services.exe
4812	services.exe
2644	services.exe
1336	services.exe
1564	services.exe
3708	services.exe
1580	services.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2060	services.exe
Token: SeDebugPrivilege	3764	services.exe
Token: SeDebugPrivilege	216	services.exe
Token: SeDebugPrivilege	1596	services.exe
Token: SeDebugPrivilege	1812	services.exe
Token: SeDebugPrivilege	4944	services.exe
Token: SeDebugPrivilege	3532	services.exe
Token: SeDebugPrivilege	2900	services.exe
Token: SeDebugPrivilege	4812	services.exe
Token: SeDebugPrivilege	2644	services.exe
Token: SeDebugPrivilege	1336	services.exe
Token: SeDebugPrivilege	1564	services.exe
Token: SeDebugPrivilege	3708	services.exe
Token: SeDebugPrivilege	1580	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3332	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	144
PID 1100 wrote to memory of 3332	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	144
PID 1100 wrote to memory of 3332	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	144
PID 3332 wrote to memory of 1924	3332	tmp9ED2.tmp.exe	146
PID 3332 wrote to memory of 1924	3332	tmp9ED2.tmp.exe	146
PID 3332 wrote to memory of 1924	3332	tmp9ED2.tmp.exe	146
PID 1924 wrote to memory of 4020	1924	tmp9ED2.tmp.exe	147
PID 1924 wrote to memory of 4020	1924	tmp9ED2.tmp.exe	147
PID 1924 wrote to memory of 4020	1924	tmp9ED2.tmp.exe	147
PID 1924 wrote to memory of 4020	1924	tmp9ED2.tmp.exe	147
PID 1924 wrote to memory of 4020	1924	tmp9ED2.tmp.exe	147
PID 1924 wrote to memory of 4020	1924	tmp9ED2.tmp.exe	147
PID 1924 wrote to memory of 4020	1924	tmp9ED2.tmp.exe	147
PID 1100 wrote to memory of 4304	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	149
PID 1100 wrote to memory of 4304	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	149
PID 1100 wrote to memory of 3152	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	150
PID 1100 wrote to memory of 3152	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	150
PID 1100 wrote to memory of 4500	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	151
PID 1100 wrote to memory of 4500	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	151
PID 1100 wrote to memory of 2564	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	152
PID 1100 wrote to memory of 2564	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	152
PID 1100 wrote to memory of 316	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	153
PID 1100 wrote to memory of 316	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	153
PID 1100 wrote to memory of 3016	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	155
PID 1100 wrote to memory of 3016	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	155
PID 1100 wrote to memory of 1348	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	156
PID 1100 wrote to memory of 1348	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	156
PID 1100 wrote to memory of 440	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	157
PID 1100 wrote to memory of 440	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	157
PID 1100 wrote to memory of 64	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	158
PID 1100 wrote to memory of 64	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	158
PID 1100 wrote to memory of 1664	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	159
PID 1100 wrote to memory of 1664	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	159
PID 1100 wrote to memory of 2932	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	160
PID 1100 wrote to memory of 2932	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	160
PID 1100 wrote to memory of 4888	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	170
PID 1100 wrote to memory of 4888	1100	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe	170
PID 4888 wrote to memory of 4108	4888	cmd.exe	173
PID 4888 wrote to memory of 4108	4888	cmd.exe	173
PID 4888 wrote to memory of 2060	4888	cmd.exe	175
PID 4888 wrote to memory of 2060	4888	cmd.exe	175
PID 2060 wrote to memory of 3252	2060	services.exe	177
PID 2060 wrote to memory of 3252	2060	services.exe	177
PID 2060 wrote to memory of 2908	2060	services.exe	178
PID 2060 wrote to memory of 2908	2060	services.exe	178
PID 2060 wrote to memory of 2652	2060	services.exe	179
PID 2060 wrote to memory of 2652	2060	services.exe	179
PID 2060 wrote to memory of 2652	2060	services.exe	179
PID 2652 wrote to memory of 316	2652	tmpEA50.tmp.exe	181
PID 2652 wrote to memory of 316	2652	tmpEA50.tmp.exe	181
PID 2652 wrote to memory of 316	2652	tmpEA50.tmp.exe	181
PID 316 wrote to memory of 3556	316	tmpEA50.tmp.exe	182
PID 316 wrote to memory of 3556	316	tmpEA50.tmp.exe	182
PID 316 wrote to memory of 3556	316	tmpEA50.tmp.exe	182
PID 3556 wrote to memory of 3704	3556	tmpEA50.tmp.exe	183
PID 3556 wrote to memory of 3704	3556	tmpEA50.tmp.exe	183
PID 3556 wrote to memory of 3704	3556	tmpEA50.tmp.exe	183
PID 3704 wrote to memory of 812	3704	tmpEA50.tmp.exe	184
PID 3704 wrote to memory of 812	3704	tmpEA50.tmp.exe	184
PID 3704 wrote to memory of 812	3704	tmpEA50.tmp.exe	184
PID 3704 wrote to memory of 812	3704	tmpEA50.tmp.exe	184
PID 3704 wrote to memory of 812	3704	tmpEA50.tmp.exe	184
PID 3704 wrote to memory of 812	3704	tmpEA50.tmp.exe	184
PID 3704 wrote to memory of 812	3704	tmpEA50.tmp.exe	184

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe
"C:\Users\Admin\AppData\Local\Temp\3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1100
- C:\Users\Admin\AppData\Local\Temp\tmp9ED2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9ED2.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Users\Admin\AppData\Local\Temp\tmp9ED2.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9ED2.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\tmp9ED2.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9ED2.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IdyG5eoGoC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4108
- - C:\Users\Admin\services.exe
    "C:\Users\Admin\services.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2060
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03857f32-88a2-42f3-b830-dd437adc05fe.vbs"
      4⤵
      PID:3252
    - - C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3764
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77d2acf0-0997-48f9-8f73-028271374241.vbs"
        6⤵
        
        PID:3108
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b0e00d9-62af-49d9-9e31-8f1d86970d58.vbs"
        8⤵
        
        PID:4964
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59e2d2d9-24ab-40a1-ba2d-2722c8f1eb6f.vbs"
        10⤵
        
        PID:2672
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\211b7c49-af2e-4ced-93d5-ae74dbbcb90e.vbs"
        12⤵
        
        PID:4704
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcbf860a-bf01-430c-9e5f-1a0f3f78dd6f.vbs"
        14⤵
        
        PID:2824
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d055cdba-b13c-41dd-b945-e73f0d710902.vbs"
        16⤵
        
        PID:2188
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\395df3ec-b4f7-4d22-a7af-18d9d03a10ad.vbs"
        18⤵
        
        PID:1964
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69943b4c-c39a-45dd-8b2d-5f987ac1eadb.vbs"
        20⤵
        
        PID:220
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e5b1b30-8f74-4ea4-b64e-0e269b689062.vbs"
        22⤵
        
        PID:3556
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42e9af4e-af76-44af-a6f0-af9c1770217e.vbs"
        24⤵
        
        PID:4652
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d229e78-6e75-49dc-aae2-1d3905524e84.vbs"
        26⤵
        
        PID:3924
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69e9147d-8e71-4218-894e-9f3e9f53452a.vbs"
        28⤵
        
        PID:2300
        
        C:\Users\Admin\services.exe
        
        C:\Users\Admin\services.exe
        29⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cab81fd9-6899-422d-bbf4-d92497b1bde3.vbs"
        28⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmpB5D9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB5D9.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmpB5D9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB5D9.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e168bcbb-6ff7-4673-8b3a-45e4752a67fb.vbs"
        26⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp71EA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp71EA.tmp.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp71EA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp71EA.tmp.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp71EA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp71EA.tmp.exe"
        28⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34443ceb-118c-4e9e-a40c-cc46f8c4ef1d.vbs"
        24⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp4164.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4164.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp4164.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4164.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13bcfd46-a663-4e8f-9425-1dca2c4b85a4.vbs"
        22⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp25ED.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp25ED.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp25ED.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp25ED.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95dba9f6-6e33-4cc3-b4cb-83123c0bdd73.vbs"
        20⤵
        
        PID:408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58467bf5-d727-455c-b362-6afe53af1bcf.vbs"
        18⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmpDA0F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDA0F.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmpDA0F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDA0F.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1f2183a-0b9b-46a0-9026-e5c49cabec63.vbs"
        16⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA8ED.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\603ba6ee-3f17-492c-a838-055554b1e8ba.vbs"
        14⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp8C7C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8C7C.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp8C7C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8C7C.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f17fe4a6-8cf8-4ba4-9007-8b9c2ab5f2fc.vbs"
        12⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmp.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmp.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5BE6.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b733bbd-e695-4c74-8111-c32a05ea4584.vbs"
        10⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp3F08.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3F08.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp3F08.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3F08.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38e79ae6-643c-4692-965a-399f4c79b6d3.vbs"
        8⤵
        
        PID:3564
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe37e7ec-783a-40c6-b7e3-ffd1c0587122.vbs"
        6⤵
        
        PID:2832
      - C:\Users\Admin\AppData\Local\Temp\tmp75E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp75E.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp75E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp75E.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:448
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36789d7c-1722-43f1-aaeb-b1c399f50469.vbs"
      4⤵
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEA50.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemResources\Microsoft.Windows.SecHealthUI\pris\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Microsoft.Windows.SecHealthUI\pris\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemResources\Microsoft.Windows.SecHealthUI\pris\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\System\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\attachments\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\attachments\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Google\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\IME\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteDesktops\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellComponents\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\ShellComponents\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellComponents\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RCXAA51.tmp

Filesize
4.9MB

MD5
254887f909463d97f2be3f6b0e0129a7

SHA1
d1ed3f614402e60501bb46b2897fa552a7de46be

SHA256
80e2077bdc780aabce54cb2b9af61d7bd26f6d983be1a08dbe7611497f71aa5b

SHA512
2954d718079b7c4ede593b009184303d8c4420ddb7e1ba3282e6b1e1bb2baf375dd8b2247c78c09404d90daf86347dcee53c93c2a3a21a52d23d0b5e44adc7ad

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
4.9MB

MD5
a6c4e2d077ec90e6c69325b0da5adb1b

SHA1
945d07aac7c54ca5560ba5cb1e05b0e6c25f8a0d

SHA256
3ef212171dd23bbe21457d28cf98c3eed80aeabd231cac6ba9878762543bda14

SHA512
d0fb442b6b0b846193a63abd8cf7084de8c435a7670a6065edd720464897af8ea969f7d452c99457075d9ac06b05e27623fd992b76cf9d26885d8e91ad9ea918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
89867a8578769e850fdad101e8a90341

SHA1
9be713e91cc759698839588f7e8337882d8d0a82

SHA256
2f80bc5cd60c47ca232e6ce7276f2ae3b5311a6538269f2d8af529b8d52a7248

SHA512
3af719c5701c72e7cd87a2e1e3cb30ab45b9e2d25b46312a6b184b1e085939f309e94d77a8b7466e90155c8373bedfc39aa93e985fb5569954db9ee3ba58028d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\03857f32-88a2-42f3-b830-dd437adc05fe.vbs

Filesize
703B

MD5
7295ff1bf9c8a366c2dbd7b849af1f1c

SHA1
d4be31a12933d56c53cf51a08d2eb05762ef05b0

SHA256
0ea2f8655ff60aca6ed0eb53c4ee2376e70222098fc359f5df325c2bd1370ac7

SHA512
e59ea34375e95be302456da8b94af9ea1fd66f141b06b326528c783c04230a5659c9be0519c02343374195e8036543bf41601ccb27bf605756ed7d2c9f2c56dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\211b7c49-af2e-4ced-93d5-ae74dbbcb90e.vbs

Filesize
703B

MD5
6649c0938c272c9582285a9ae694666e

SHA1
13a787f69308e67d80aacf221d99ab311da734b5

SHA256
07875957ffac82b883a41e0fd6b100a055d95aea431b5cbfc558f253e00f16e8

SHA512
7ed9d1093325f489f6d5a71608522df4f883f7a483d2bbc289a74b65ead4a74154d0a1c660a2ad821dbd03a63765cd976bc58bf237a14cbf92e1eb485538948a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b0e00d9-62af-49d9-9e31-8f1d86970d58.vbs

Filesize
702B

MD5
a9ac4aec4a1b69564ecd45fb92f4769e

SHA1
32c5f9e56fa529f69c3f91b95eaa53df47e48dbd

SHA256
31260543d054bee2d92aa7c5a7585cea60fc14f4a8c4548bb79b2d35d6470507

SHA512
f98fd5244ac58148ce6d9f624f774fe48b0503879078ce0d9f326f20390e00351fef77635901407bc26c7e2fe4c4d2e7f29c5bfe40fcc7c7e82294b1f3f66d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\36789d7c-1722-43f1-aaeb-b1c399f50469.vbs

Filesize
479B

MD5
290d82258bb73dfa39fc1cf2021186f2

SHA1
4ea1f301d72cabd9738579b4992abcf7b4c57642

SHA256
d145b9961b606f5adde89dc1e63eac5bb0696bb70542c655fb90f6acbdc1c08e

SHA512
9818e609e5b121244fc4d7c91613a42b8850637f127ec660c1216e4027c31bad92abe3c52b50ee09da712c53e9c21d0bd0d29a6ea1e9241af9616b8a56c42d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\59e2d2d9-24ab-40a1-ba2d-2722c8f1eb6f.vbs

Filesize
703B

MD5
058e021509c0ca340d789b1cffeb74c6

SHA1
18a7bc1e352d1d7a2afefeebfeec9716eee2c729

SHA256
5e6e8444bdd661e68ff99e13fe7403dd146040bf3ce4d8d61b734a0cc015c44b

SHA512
6d82ca1ec61c04bb5f0b83b27a88b462503f3a13bac4213938f92d44d8b348a1fc96b2acd3cc891544750eb3126c1be1c87faaa8daf0576738a0410a9f6a0ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\77d2acf0-0997-48f9-8f73-028271374241.vbs

Filesize
703B

MD5
0e7b72339276bd034f0afe97bd10b9f6

SHA1
6aa888bc79fadd0d7e6de5547a478b5462d693a7

SHA256
bd2b71d1334402482f75cc7991087d83033b3b46d171854a518b4b3604ecdbc8

SHA512
d493d2506dfd5a686a429e347bf010bd3cb5ad65301ee93734ebe7b99e0cdb30f3e44535412bce45521126127a1cb616213022ebbbea6b0f9bde49314867aae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IdyG5eoGoC.bat

Filesize
192B

MD5
f90069b069cc833f1921fbbe3b696d30

SHA1
0d09f524a84dec62c39936367b28aaed1ee20ae7

SHA256
959ef73f6e650a684286bff099a45c2a5c0f5da6302605c1a8c56a2513392435

SHA512
9dbf832e29deb2c3f129a432b5fbcff6e81631c269cefe87d13aabea08b56d09bdc2254a84bdcd8838cb99abd5898352bc8cf141b31d179ac1dcfc758abc6ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jte43qiy.0ia.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d055cdba-b13c-41dd-b945-e73f0d710902.vbs

Filesize
703B

MD5
be6da55b577761f1066025c282f5443c

SHA1
383ca6e2cd693465ea1417b5a93d42beb4e83490

SHA256
8cc999fe50a35491522501baeaed4d6fd957f2bc0c7d7892e559ebf9b406fa49

SHA512
26f3de951068ea653b5ffac0c7c7736e147e9d4191bb6122b113d56315e2fe181b936b7fcb1c7db0333f6cecd127b3147753260144beb9e866698ff8acef4c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcbf860a-bf01-430c-9e5f-1a0f3f78dd6f.vbs

Filesize
703B

MD5
08e8023985a7e0f45051c1143e7a654a

SHA1
f26defd73bf1c54cc5051821fbff34fef3d5b1ed

SHA256
8fffa13401dc047cb5638e2ac6f1716a26f706627b64b321829bb6f9c1efa029

SHA512
e60d4f1b50748943464537994c1473ca67f2de5ac337a3f5dfb6bd0f3003e1bcd20a99ee5a1ff5316b9d5c5d3a876ddd8d03e91c6eee0b07ce89f16348339e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9ED2.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/216-385-0x000000001BF90000-0x000000001BFA2000-memory.dmp

Filesize
72KB

Download
memory/316-225-0x00000253F10E0000-0x00000253F1102000-memory.dmp

Filesize
136KB

Download
memory/1100-210-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

Filesize
10.8MB

Download
memory/1100-3-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

Filesize
10.8MB

Download
memory/1100-7-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download
memory/1100-159-0x00007FFCD4323000-0x00007FFCD4325000-memory.dmp

Filesize
8KB

Download
memory/1100-174-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

Filesize
10.8MB

Download
memory/1100-6-0x00000000032D0000-0x00000000032D8000-memory.dmp

Filesize
32KB

Download
memory/1100-10-0x000000001BFA0000-0x000000001BFAA000-memory.dmp

Filesize
40KB

Download
memory/1100-18-0x000000001C7A0000-0x000000001C7AC000-memory.dmp

Filesize
48KB

Download
memory/1100-17-0x000000001C790000-0x000000001C798000-memory.dmp

Filesize
32KB

Download
memory/1100-5-0x000000001C730000-0x000000001C780000-memory.dmp

Filesize
320KB

Download
memory/1100-4-0x00000000032A0000-0x00000000032BC000-memory.dmp

Filesize
112KB

Download
memory/1100-9-0x000000001BF90000-0x000000001BFA0000-memory.dmp

Filesize
64KB

Download
memory/1100-2-0x000000001C000000-0x000000001C12E000-memory.dmp

Filesize
1.2MB

Download
memory/1100-0-0x00007FFCD4323000-0x00007FFCD4325000-memory.dmp

Filesize
8KB

Download
memory/1100-16-0x000000001C780000-0x000000001C788000-memory.dmp

Filesize
32KB

Download
memory/1100-1-0x0000000000D00000-0x00000000011F4000-memory.dmp

Filesize
5.0MB

Download
memory/1100-14-0x000000001BFD0000-0x000000001BFDE000-memory.dmp

Filesize
56KB

Download
memory/1100-13-0x000000001BFC0000-0x000000001BFCA000-memory.dmp

Filesize
40KB

Download
memory/1100-15-0x000000001BFE0000-0x000000001BFEE000-memory.dmp

Filesize
56KB

Download
memory/1100-12-0x000000001CCB0000-0x000000001D1D8000-memory.dmp

Filesize
5.2MB

Download
memory/1100-11-0x000000001BFB0000-0x000000001BFC2000-memory.dmp

Filesize
72KB

Download
memory/1100-8-0x000000001BF70000-0x000000001BF86000-memory.dmp

Filesize
88KB

Download
memory/1336-529-0x000000001D5F0000-0x000000001D602000-memory.dmp

Filesize
72KB

Download
memory/4020-86-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download