neshta | a73a05a4b6ec6ae1c1ba6d3d12b68cc52b899e2a6dbbaaa1f48f2c260a733123

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cheat_master_install.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CHEAT_~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CHEAT_~1.EXE

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Disables Task Manager via registry modification
evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat_master_install.exe"	cheat_master_install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat_master_install.exe"	cheat_master_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	CHEAT_~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	CHEAT_~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHEAT_~1.EXE"	CHEAT_~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	cheat_master_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	cheat_master_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	CHEAT_~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHEAT_~1.EXE"	CHEAT_~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHEAT_~1.EXE"	CHEAT_~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	CHEAT_~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHEAT_~1.EXE"	CHEAT_~1.EXE

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000023d09-549.dat	acprotect

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	3mb_online_install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	MINECR~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	MINECR~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	windef_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	._cache_MINECR~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	3MB_ON~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	._cache_MINECR~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	windef_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	._cache_MINECR~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	MINECR~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WINDEF~1.EXE

Executes dropped EXE 50 IoCs

pid	Process
3928	cheat_master_install.exe
840	cheat_master_install.exe
4456	3mb_online_install.exe
3260	Start.exe
1848	windef_installer.exe
452	windef_installer.exe
1792	svchost.com
3672	WINLOC~1.EXE
5080	svchost.com
4288	MINECR~1.EXE
2216	svchost.com
3092	cheats.exe
1652	svchost.com
2596	cheat.exe
4028	._cache_MINECR~1.EXE
3816	Synaptics.exe
4444	svchost.com
1620	._cache_Synaptics.exe
3484	cheats.exe
4876	svchost.com
4932	CHEAT_~1.EXE
3656	svchost.com
5016	3MB_ON~1.EXE
3952	svchost.com
3980	WINDEF~1.EXE
4080	svchost.com
2572	MINECR~1.EXE
2420	svchost.com
4476	cheats.exe
1268	._cache_MINECR~1.EXE
3516	svchost.com
840	WINDEF~1.EXE
3248	svchost.com
4988	WINLOC~1.EXE
1220	svchost.com
5104	3MB_ON~1.EXE
1528	svchost.com
2312	Start.exe
4872	svchost.com
4376	svchost.com
2924	svchost.com
2712	MINECR~1.EXE
4180	cheats.exe
3436	._cache_MINECR~1.EXE
1536	svchost.com
1336	CHEAT_~1.EXE
4220	svchost.com
380	cheat.exe
1704	svchost.com
4352	WINDEF~1.EXE

Loads dropped DLL 17 IoCs

pid	Process
3672	WINLOC~1.EXE
3672	WINLOC~1.EXE
3672	WINLOC~1.EXE
3672	WINLOC~1.EXE
3672	WINLOC~1.EXE
2572	MINECR~1.EXE
2572	MINECR~1.EXE
4988	WINLOC~1.EXE
4988	WINLOC~1.EXE
4988	WINLOC~1.EXE
4988	WINLOC~1.EXE
4988	WINLOC~1.EXE
2712	MINECR~1.EXE
2712	MINECR~1.EXE
4940	javaw.exe
4940	javaw.exe
4940	javaw.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	windef_installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	MINECR~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHEAT_~1.EXE"	CHEAT_~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHEAT_~1.EXE"	CHEAT_~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat_master_install.exe"	cheat_master_install.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CHEAT_~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cheat_master_install.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CHEAT_~1.EXE

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
87	ip-api.com
127	ip-api.com
136	checkip.amazonaws.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cheat_master_install.exe
File opened for modification	\??\PhysicalDrive0	CHEAT_~1.EXE
File opened for modification	\??\PhysicalDrive0	CHEAT_~1.EXE

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\._cache_MINECR~1.EXE	MINECR~1.EXE
File created	C:\Windows\system32\2c5b6ba2-5107-484a-8e20-d7b3ac11f222	javaw.exe
File opened for modification	C:\Windows\system32\2c5b6ba2-5107-484a-8e20-d7b3ac11f222	javaw.exe
File created	C:\Windows\system32\6d5629c9-6308-48f3-84a2-390ab4309126	javaw.exe
File opened for modification	C:\Windows\SysWOW64\._cache_MINECR~1.EXE	MINECR~1.EXE
File opened for modification	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\._cache_MINECR~1.EXE	MINECR~1.EXE
File opened for modification	C:\Windows\System32\aa35f961-dba3-4b9b-ac58-0bea58b98572	javaw.exe
File created	C:\Windows\system32\aa35f961-dba3-4b9b-ac58-0bea58b98572	javaw.exe
File opened for modification	C:\Windows\system32\6d5629c9-6308-48f3-84a2-390ab4309126	javaw.exe
File opened for modification	C:\Windows\System32\6d5629c9-6308-48f3-84a2-390ab4309126	javaw.exe
File created	C:\Windows\system32\53f7496f-f126-4c75-ac3c-b25e243ffd2f	javaw.exe
File opened for modification	C:\Windows\system32\53f7496f-f126-4c75-ac3c-b25e243ffd2f	javaw.exe
File opened for modification	C:\Windows\System32\53f7496f-f126-4c75-ac3c-b25e243ffd2f	javaw.exe
File created	C:\Windows\SysWOW64\._cache_MINECR~1.EXE	MINECR~1.EXE
File opened for modification	C:\Windows\system32\aa35f961-dba3-4b9b-ac58-0bea58b98572	javaw.exe
File opened for modification	C:\Windows\System32\2c5b6ba2-5107-484a-8e20-d7b3ac11f222	javaw.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3612	tasklist.exe
4504	tasklist.exe
4556	tasklist.exe
4084	tasklist.exe
1816	tasklist.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023d05-521.dat	upx
behavioral1/files/0x0007000000023d09-549.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	windef_installer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	svchost.com
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	windef_installer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	windef_installer.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	windef_installer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~3\Drivers\start.exe	svchost.com
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~3\Drivers\Start.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	windef_installer.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	windef_installer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	windef_installer.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~3\Drivers\curl.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	windef_installer.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	windef_installer.exe

Drops file in Windows directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	windef_installer.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDEF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDEF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_MINECR~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3MB_ON~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_MINECR~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windef_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MINECR~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3MB_ON~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MINECR~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CHEAT_~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MINECR~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6812964531.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOC~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_MINECR~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CHEAT_~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat_master_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cheat_master_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3mb_online_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windef_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDEF~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1032	cmd.exe
632	cmd.exe
1104	PING.EXE
1292	cmd.exe
6260	cmd.exe
6148	cmd.exe
4536	cmd.exe
1496	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Kills process with taskkill 64 IoCs

evasion

pid	Process
2568	taskkill.exe
4312	taskkill.exe
1180	taskkill.exe
3848	taskkill.exe
1484	taskkill.exe
2864	taskkill.exe
4860	taskkill.exe
6924	taskkill.exe
7024	taskkill.exe
7000	taskkill.exe
3864	taskkill.exe
2964	taskkill.exe
4960	taskkill.exe
4124	taskkill.exe
5472	taskkill.exe
7016	taskkill.exe
7088	taskkill.exe
6232	taskkill.exe
3008	taskkill.exe
6676	taskkill.exe
2792	taskkill.exe
6684	taskkill.exe
6876	taskkill.exe
5528	taskkill.exe
4768	taskkill.exe
6692	taskkill.exe
6836	taskkill.exe
6892	taskkill.exe
3920	taskkill.exe
1760	taskkill.exe
4436	taskkill.exe
6992	taskkill.exe
5864	taskkill.exe
5172	taskkill.exe
3892	taskkill.exe
4964	taskkill.exe
6668	taskkill.exe
6868	taskkill.exe
5488	taskkill.exe
5536	taskkill.exe
1564	taskkill.exe
4428	taskkill.exe
4244	taskkill.exe
748	taskkill.exe
1452	taskkill.exe
6416	taskkill.exe
7112	taskkill.exe
7144	taskkill.exe
4420	taskkill.exe
1480	taskkill.exe
6064	taskkill.exe
6044	taskkill.exe
6224	taskkill.exe
6240	taskkill.exe
6192	taskkill.exe
4348	taskkill.exe
3324	taskkill.exe
6652	taskkill.exe
7160	taskkill.exe
64	taskkill.exe
4444	taskkill.exe
1504	taskkill.exe
6932	taskkill.exe
5728	taskkill.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	._cache_MINECR~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MINECR~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MINECR~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Start.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	WINDEF~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	java.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	windef_installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	javaw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	._cache_MINECR~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	3MB_ON~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	windef_installer.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	._cache_MINECR~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MINECR~1.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1496	PING.EXE
1104	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3600	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4856	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe
3928	cheat_master_install.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
3928	cheat_master_install.exe
4932	CHEAT_~1.EXE
1336	CHEAT_~1.EXE
4988	WINLOC~1.EXE
4940	javaw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3664	WMIC.exe
Token: SeSecurityPrivilege	3664	WMIC.exe
Token: SeTakeOwnershipPrivilege	3664	WMIC.exe
Token: SeLoadDriverPrivilege	3664	WMIC.exe
Token: SeSystemProfilePrivilege	3664	WMIC.exe
Token: SeSystemtimePrivilege	3664	WMIC.exe
Token: SeProfSingleProcessPrivilege	3664	WMIC.exe
Token: SeIncBasePriorityPrivilege	3664	WMIC.exe
Token: SeCreatePagefilePrivilege	3664	WMIC.exe
Token: SeBackupPrivilege	3664	WMIC.exe
Token: SeRestorePrivilege	3664	WMIC.exe
Token: SeShutdownPrivilege	3664	WMIC.exe
Token: SeDebugPrivilege	3664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3664	WMIC.exe
Token: SeRemoteShutdownPrivilege	3664	WMIC.exe
Token: SeUndockPrivilege	3664	WMIC.exe
Token: SeManageVolumePrivilege	3664	WMIC.exe
Token: 33	3664	WMIC.exe
Token: 34	3664	WMIC.exe
Token: 35	3664	WMIC.exe
Token: 36	3664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3664	WMIC.exe
Token: SeSecurityPrivilege	3664	WMIC.exe
Token: SeTakeOwnershipPrivilege	3664	WMIC.exe
Token: SeLoadDriverPrivilege	3664	WMIC.exe
Token: SeSystemProfilePrivilege	3664	WMIC.exe
Token: SeSystemtimePrivilege	3664	WMIC.exe
Token: SeProfSingleProcessPrivilege	3664	WMIC.exe
Token: SeIncBasePriorityPrivilege	3664	WMIC.exe
Token: SeCreatePagefilePrivilege	3664	WMIC.exe
Token: SeBackupPrivilege	3664	WMIC.exe
Token: SeRestorePrivilege	3664	WMIC.exe
Token: SeShutdownPrivilege	3664	WMIC.exe
Token: SeDebugPrivilege	3664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3664	WMIC.exe
Token: SeRemoteShutdownPrivilege	3664	WMIC.exe
Token: SeUndockPrivilege	3664	WMIC.exe
Token: SeManageVolumePrivilege	3664	WMIC.exe
Token: 33	3664	WMIC.exe
Token: 34	3664	WMIC.exe
Token: 35	3664	WMIC.exe
Token: 36	3664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	464	WMIC.exe
Token: SeSecurityPrivilege	464	WMIC.exe
Token: SeTakeOwnershipPrivilege	464	WMIC.exe
Token: SeLoadDriverPrivilege	464	WMIC.exe
Token: SeSystemProfilePrivilege	464	WMIC.exe
Token: SeSystemtimePrivilege	464	WMIC.exe
Token: SeProfSingleProcessPrivilege	464	WMIC.exe
Token: SeIncBasePriorityPrivilege	464	WMIC.exe
Token: SeCreatePagefilePrivilege	464	WMIC.exe
Token: SeBackupPrivilege	464	WMIC.exe
Token: SeRestorePrivilege	464	WMIC.exe
Token: SeShutdownPrivilege	464	WMIC.exe
Token: SeDebugPrivilege	464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	464	WMIC.exe
Token: SeRemoteShutdownPrivilege	464	WMIC.exe
Token: SeUndockPrivilege	464	WMIC.exe
Token: SeManageVolumePrivilege	464	WMIC.exe
Token: 33	464	WMIC.exe
Token: 34	464	WMIC.exe
Token: 35	464	WMIC.exe
Token: 36	464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	464	WMIC.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2056	java.exe
4940	javaw.exe
3928	cheat_master_install.exe
840	cheat_master_install.exe
3260	Start.exe
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4856	EXCEL.EXE
4932	CHEAT_~1.EXE
1336	CHEAT_~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 2312	3252	6812964531.exe	84
PID 3252 wrote to memory of 2312	3252	6812964531.exe	84
PID 2312 wrote to memory of 2056	2312	javaw.exe	97
PID 2312 wrote to memory of 2056	2312	javaw.exe	97
PID 2056 wrote to memory of 5100	2056	java.exe	100
PID 2056 wrote to memory of 5100	2056	java.exe	100
PID 5100 wrote to memory of 1484	5100	cmd.exe	102
PID 5100 wrote to memory of 1484	5100	cmd.exe	102
PID 2056 wrote to memory of 3776	2056	java.exe	103
PID 2056 wrote to memory of 3776	2056	java.exe	103
PID 3776 wrote to memory of 3600	3776	cmd.exe	105
PID 3776 wrote to memory of 3600	3776	cmd.exe	105
PID 2056 wrote to memory of 892	2056	java.exe	106
PID 2056 wrote to memory of 892	2056	java.exe	106
PID 4940 wrote to memory of 452	4940	javaw.exe	110
PID 4940 wrote to memory of 452	4940	javaw.exe	110
PID 452 wrote to memory of 3664	452	cmd.exe	112
PID 452 wrote to memory of 3664	452	cmd.exe	112
PID 4940 wrote to memory of 1320	4940	javaw.exe	113
PID 4940 wrote to memory of 1320	4940	javaw.exe	113
PID 1320 wrote to memory of 464	1320	cmd.exe	115
PID 1320 wrote to memory of 464	1320	cmd.exe	115
PID 4940 wrote to memory of 3928	4940	javaw.exe	125
PID 4940 wrote to memory of 3928	4940	javaw.exe	125
PID 4940 wrote to memory of 3928	4940	javaw.exe	125
PID 4940 wrote to memory of 4456	4940	javaw.exe	127
PID 4940 wrote to memory of 4456	4940	javaw.exe	127
PID 4940 wrote to memory of 4456	4940	javaw.exe	127
PID 4456 wrote to memory of 3260	4456	3mb_online_install.exe	128
PID 4456 wrote to memory of 3260	4456	3mb_online_install.exe	128
PID 4456 wrote to memory of 3260	4456	3mb_online_install.exe	128
PID 3260 wrote to memory of 1704	3260	Start.exe	130
PID 3260 wrote to memory of 1704	3260	Start.exe	130
PID 4940 wrote to memory of 1848	4940	javaw.exe	132
PID 4940 wrote to memory of 1848	4940	javaw.exe	132
PID 4940 wrote to memory of 1848	4940	javaw.exe	132
PID 1848 wrote to memory of 452	1848	windef_installer.exe	133
PID 1848 wrote to memory of 452	1848	windef_installer.exe	133
PID 1848 wrote to memory of 452	1848	windef_installer.exe	133
PID 452 wrote to memory of 1792	452	windef_installer.exe	134
PID 452 wrote to memory of 1792	452	windef_installer.exe	134
PID 452 wrote to memory of 1792	452	windef_installer.exe	134
PID 1792 wrote to memory of 3672	1792	svchost.com	135
PID 1792 wrote to memory of 3672	1792	svchost.com	135
PID 1792 wrote to memory of 3672	1792	svchost.com	135
PID 3672 wrote to memory of 728	3672	WINLOC~1.EXE	137
PID 3672 wrote to memory of 728	3672	WINLOC~1.EXE	137
PID 3672 wrote to memory of 728	3672	WINLOC~1.EXE	137
PID 4940 wrote to memory of 5080	4940	javaw.exe	139
PID 4940 wrote to memory of 5080	4940	javaw.exe	139
PID 4940 wrote to memory of 5080	4940	javaw.exe	139
PID 5080 wrote to memory of 4288	5080	svchost.com	140
PID 5080 wrote to memory of 4288	5080	svchost.com	140
PID 5080 wrote to memory of 4288	5080	svchost.com	140
PID 4940 wrote to memory of 2216	4940	javaw.exe	141
PID 4940 wrote to memory of 2216	4940	javaw.exe	141
PID 4940 wrote to memory of 2216	4940	javaw.exe	141
PID 2216 wrote to memory of 3092	2216	svchost.com	142
PID 2216 wrote to memory of 3092	2216	svchost.com	142
PID 4940 wrote to memory of 1652	4940	javaw.exe	144
PID 4940 wrote to memory of 1652	4940	javaw.exe	144
PID 4940 wrote to memory of 1652	4940	javaw.exe	144
PID 1652 wrote to memory of 2596	1652	svchost.com	145
PID 1652 wrote to memory of 2596	1652	svchost.com	145

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cheat_master_install.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cheat_master_install.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CHEAT_~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CHEAT_~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	CHEAT_~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	CHEAT_~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	cheat_master_install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CHEAT_~1.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	CHEAT_~1.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6812964531.exe
"C:\Users\Admin\AppData\Local\Temp\6812964531.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\6812964531.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    java -jar C:\Users\Admin\download_libra.jar
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        5⤵
        
        PID:1484
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3776
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /CREATE /F /SC MINUTE /TN OneDrive\OneDriveUpdateTask /RL HIGHEST /TR C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3600
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"
      4⤵
      PID:892

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\cache.jar"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\system32\cmd.exe
  cmd /c wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- C:\Windows\system32\cmd.exe
  cmd /c wmic cpu get name
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:464
- C:\Users\Admin\AppData\Local\Temp\cheat_master_install.exe
  "C:\Users\Admin\AppData\Local\Temp\cheat_master_install.exe"
  2⤵
  - UAC bypass
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3928
- C:\Users\Admin\AppData\Local\Temp\3mb_online_install.exe
  "C:\Users\Admin\AppData\Local\Temp\3mb_online_install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\ProgramData\Drivers\Start.exe
    "C:\ProgramData\Drivers\Start.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3260
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9F53.tmp\9F54.tmp\9F55.bat C:\ProgramData\Drivers\Start.exe"
      4⤵
      PID:1704
- C:\Users\Admin\AppData\Local\Temp\windef_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\windef_installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\3582-490\windef_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\windef_installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3672
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM "explorer.exe""
        6⤵
        
        PID:728
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE
    C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4288
  - - C:\Windows\SysWOW64\._cache_MINECR~1.EXE
      "C:\Windows\system32\._cache_MINECR~1.EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4028
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"
        5⤵
        
        PID:3052
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3816
    - - C:\Windows\SysWOW64\._cache_Synaptics.exe
        
        "C:\Windows\system32\._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\cheats.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\cheats.exe
    C:\Users\Admin\AppData\Local\Temp\cheats.exe
    3⤵
    - Executes dropped EXE
    PID:3092
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\cheat.exe
    C:\Users\Admin\AppData\Local\Temp\cheat.exe
    3⤵
    - Executes dropped EXE
    PID:2596
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1256
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\cheats.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\cheats.exe
    C:\Users\Admin\AppData\Local\Temp\cheats.exe
    3⤵
    - Executes dropped EXE
    PID:3484
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:3612
- C:\Windows\system32\cmd.exe
  cmd /c ping localhost -n 10 > nul && del /s /q C:\Users\Admin\AppData\Local\Temp\processes_282.txt
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4536
- - C:\Windows\system32\PING.EXE
    ping localhost -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1496
- C:\Windows\system32\taskkill.exe
  taskkill /PID 3928 /F
  2⤵
  PID:3852
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\CHEAT_~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\CHEAT_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\CHEAT_~1.EXE
    3⤵
    - UAC bypass
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4932
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3MB_ON~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\3MB_ON~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3MB_ON~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5016
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINDEF~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\WINDEF~1.EXE
    C:\Users\Admin\AppData\Local\Temp\WINDEF~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3980
- C:\Windows\system32\taskkill.exe
  taskkill /IM cheat_master_install.exe /F
  2⤵
  - Kills process with taskkill
  PID:64
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE
    C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2572
  - - C:\Windows\SysWOW64\._cache_MINECR~1.EXE
      "C:\Windows\system32\._cache_MINECR~1.EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1268
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\cheats.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\cheats.exe
    C:\Users\Admin\AppData\Local\Temp\cheats.exe
    3⤵
    - Executes dropped EXE
    PID:4476
- C:\Windows\system32\taskkill.exe
  taskkill /IM cheat_master_install.exe /F
  2⤵
  PID:4136
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:4504
- C:\Windows\system32\cmd.exe
  cmd /c ping localhost -n 10 > nul && del /s /q C:\Users\Admin\AppData\Local\Temp\processes_84.txt
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1032
- C:\Windows\system32\taskkill.exe
  taskkill /PID 3928 /F
  2⤵
  PID:2488
- C:\Windows\system32\taskkill.exe
  taskkill /IM cheat_master_install.exe /F
  2⤵
  PID:2036
- C:\Windows\system32\taskkill.exe
  taskkill /IM ========================= /F
  2⤵
  - Kills process with taskkill
  PID:3920
- C:\Windows\system32\taskkill.exe
  taskkill /PID ======== /F
  2⤵
  PID:3740
- C:\Windows\system32\taskkill.exe
  taskkill /PID 4932 /F
  2⤵
  - Kills process with taskkill
  PID:1180
- C:\Windows\system32\taskkill.exe
  taskkill /PID 3820 /F
  2⤵
  PID:1496
- C:\Windows\system32\taskkill.exe
  taskkill /IM dllhost.exe /F
  2⤵
  - Kills process with taskkill
  PID:4444
- C:\Windows\system32\taskkill.exe
  taskkill /PID 4388 /F
  2⤵
  PID:1268
- C:\Windows\system32\taskkill.exe
  taskkill /PID 4808 /F
  2⤵
  PID:1848
- C:\Windows\system32\taskkill.exe
  taskkill /PID 4808 /F
  2⤵
  PID:5092
- C:\Windows\system32\taskkill.exe
  taskkill /PID 4416 /F
  2⤵
  PID:2748
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:4556
- C:\Windows\system32\cmd.exe
  cmd /c ping localhost -n 10 > nul && del /s /q C:\Users\Admin\AppData\Local\Temp\processes_229.txt
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:632
- - C:\Windows\system32\PING.EXE
    ping localhost -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1104
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINDEF~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\WINDEF~1.EXE
    C:\Users\Admin\AppData\Local\Temp\WINDEF~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:840
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3248
    - - C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4988
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "TASKKILL /F /IM "explorer.exe""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /F /IM "explorer.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5012
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3MB_ON~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\3MB_ON~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3MB_ON~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:5104
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\PROGRA~3\Drivers\Start.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1528
    - - C:\PROGRA~3\Drivers\Start.exe
        
        C:\PROGRA~3\Drivers\Start.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\476C.tmp\476D.tmp\477D.bat C:\PROGRA~3\Drivers\Start.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\sysnative\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\476C.tmp\476D.tmp\477D.bat C:\PROGRA~3\Drivers\Start.exe
        7⤵
        
        PID:2348
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE
    C:\Users\Admin\AppData\Local\Temp\MINECR~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2712
  - - C:\Windows\SysWOW64\._cache_MINECR~1.EXE
      "C:\Windows\system32\._cache_MINECR~1.EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3436
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\cheats.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\cheats.exe
    C:\Users\Admin\AppData\Local\Temp\cheats.exe
    3⤵
    - Executes dropped EXE
    PID:4180
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\CHEAT_~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\CHEAT_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\CHEAT_~1.EXE
    3⤵
    - UAC bypass
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1336
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4220
- - C:\Users\Admin\AppData\Local\Temp\cheat.exe
    C:\Users\Admin\AppData\Local\Temp\cheat.exe
    3⤵
    - Executes dropped EXE
    PID:380
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:3564
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINDEF~1.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\WINDEF~1.EXE
    C:\Users\Admin\AppData\Local\Temp\WINDEF~1.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4352
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  PID:4084
- C:\Windows\system32\cmd.exe
  cmd /c ping localhost -n 10 > nul && del /s /q C:\Users\Admin\AppData\Local\Temp\processes_353.txt
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1292
- C:\Windows\system32\taskkill.exe
  taskkill /PID 4084 /F
  2⤵
  PID:2064
- C:\Windows\system32\taskkill.exe
  taskkill /IM svchost.com /F
  2⤵
  - Kills process with taskkill
  PID:4420
- C:\Windows\system32\taskkill.exe
  taskkill /PID 4352 /F
  2⤵
  PID:5036
- C:\Windows\system32\taskkill.exe
  taskkill /IM WINDEF~1.EXE /F
  2⤵
  PID:4028
- C:\Windows\system32\taskkill.exe
  taskkill /PID 3380 /F
  2⤵
  PID:4300
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:2416
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:3136
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:164
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:4348
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:4740
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  - Kills process with taskkill
  PID:1480
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:3788
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:4932
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:2620
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:4760
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:3768
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:3728
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  - Kills process with taskkill
  PID:3892
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:5076
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:528
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  - Kills process with taskkill
  PID:3848
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:3864
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:4780
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:1752
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:4500
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:4796
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:4436
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:1176
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:1504
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:3008
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:1760
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  - Kills process with taskkill
  PID:3324
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:1904
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:2792
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:4412
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:4344
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:3836
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:1564
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:1660
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:2936
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:3200
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  - Kills process with taskkill
  PID:4244
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:4312
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:2184
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:1908
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:1704
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:1420
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:3988
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:4208
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:4956
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:3844
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:2196
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:3112
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:1716
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:2964
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:4400
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:2568
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:748
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:1484
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:1664
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:4728
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:4556
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:3956
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:4488
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:4768
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:4032
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  - Kills process with taskkill
  PID:4860
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:1896
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:1744
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  - Kills process with taskkill
  PID:1452
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:4012
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:4964
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:4428
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:1060
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:4136
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:3556
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:2292
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:448
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:3300
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:2864
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:3436
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:5112
- C:\Windows\system32\tasklist.exe
  tasklist.exe /fo csv /nh
  2⤵
  - Enumerates processes with tasklist
  PID:1816
- C:\Windows\system32\cmd.exe
  cmd /c ping localhost -n 10 > nul && del /s /q C:\Users\Admin\AppData\Local\Temp\out_64096347.mp4
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6260
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:6392
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:6400
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:6408
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:6416
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:6424
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:6432
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:6440
- C:\Windows\system32\cmd.exe
  cmd.exe /c dxdiag /t C:\Users\Admin\Admin\Properties.txt
  2⤵
  PID:6456
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:6644
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  - Kills process with taskkill
  PID:6652
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:6660
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:6668
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:6676
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  - Kills process with taskkill
  PID:6684
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  - Kills process with taskkill
  PID:6692
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:6836
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:6844
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:6852
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:6860
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:6868
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  - Kills process with taskkill
  PID:6876
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:6884
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:6892
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:6900
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:6908
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:6916
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:6924
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  - Kills process with taskkill
  PID:6932
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:6940
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:6992
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  - Kills process with taskkill
  PID:7000
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:7008
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:7016
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:7024
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:7032
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:7040
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:7088
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:7096
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:7104
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:7112
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:7120
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:7128
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:7136
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:7144
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:7152
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:7160
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:6168
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:6192
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  - Kills process with taskkill
  PID:6224
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  - Kills process with taskkill
  PID:6232
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:6240
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:6248
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:1836
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:1220
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:6256
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:5860
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:2860
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  PID:6340
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:5208
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:5488
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:2976
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:3520
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:5392
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  - Kills process with taskkill
  PID:4124
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:5728
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  - Kills process with taskkill
  PID:5472
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:6064
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  PID:6028
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  PID:6044
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  - Kills process with taskkill
  PID:5528
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  - Kills process with taskkill
  PID:5536
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  PID:5864
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM firefox.exe
  2⤵
  PID:5924
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:4960
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM opera.exe
  2⤵
  - Kills process with taskkill
  PID:5172
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  PID:5820
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chromium.exe
  2⤵
  PID:6128
- C:\Windows\system32\taskkill.exe
  taskkill /f /IM browser.exe
  2⤵
  PID:5372
- C:\Windows\system32\cmd.exe
  cmd /c ping localhost -n 10 > nul && del /s /q C:\Users\Admin\OZMCVSQS.zip
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6148

C:\Users\Admin\AppData\Local\Temp\cheat_master_install.exe
C:\Users\Admin\AppData\Local\Temp\cheat_master_install.exe explorer.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d0 0x154
1⤵
PID:2940

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery