colibri | 6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Size

4.9MB
MD5

98f6d1c7482e03953bd88b57feb7d6b0
SHA1

437f469f92fea1fe222fb031353065152eb4d95e
SHA256

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890
SHA512

240e23c6a92008588b5e70969bbc94b2adfb12fb74e5f31ee4d3fc3b918b160bb13868ab29f14b29029a5889f0aff635a97507c6c1ae13dcadaaa6998d6f8165
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3760	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	3760	schtasks.exe

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/388-3-0x000000001B8F0000-0x000000001BA1E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1808	powershell.exe
744	powershell.exe
3316	powershell.exe
3840	powershell.exe
720	powershell.exe
2476	powershell.exe
2356	powershell.exe
216	powershell.exe
1988	powershell.exe
1424	powershell.exe
3332	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	winlogon.exe

Executes dropped EXE 40 IoCs

Processes:

tmpAFBC.tmp.exetmpAFBC.tmp.exewinlogon.exetmpE455.tmp.exetmpE455.tmp.exewinlogon.exetmp150A.tmp.exetmp150A.tmp.exewinlogon.exetmp4580.tmp.exetmp4580.tmp.exewinlogon.exetmp630A.tmp.exetmp630A.tmp.exewinlogon.exetmp7FCA.tmp.exetmp7FCA.tmp.exewinlogon.exewinlogon.exetmpB84F.tmp.exetmpB84F.tmp.exewinlogon.exetmpE7DA.tmp.exetmpE7DA.tmp.exewinlogon.exetmp1737.tmp.exetmp1737.tmp.exewinlogon.exetmp32BE.tmp.exetmp32BE.tmp.exewinlogon.exewinlogon.exetmp7FA6.tmp.exetmp7FA6.tmp.exewinlogon.exetmpB0B8.tmp.exetmpB0B8.tmp.exewinlogon.exetmpE267.tmp.exetmpE267.tmp.exe

pid	process
1236	tmpAFBC.tmp.exe
1528	tmpAFBC.tmp.exe
4432	winlogon.exe
4336	tmpE455.tmp.exe
3980	tmpE455.tmp.exe
1448	winlogon.exe
4928	tmp150A.tmp.exe
4668	tmp150A.tmp.exe
1348	winlogon.exe
3784	tmp4580.tmp.exe
3520	tmp4580.tmp.exe
4796	winlogon.exe
1108	tmp630A.tmp.exe
4972	tmp630A.tmp.exe
3600	winlogon.exe
2380	tmp7FCA.tmp.exe
2708	tmp7FCA.tmp.exe
4924	winlogon.exe
4788	winlogon.exe
744	tmpB84F.tmp.exe
4500	tmpB84F.tmp.exe
4180	winlogon.exe
4016	tmpE7DA.tmp.exe
4876	tmpE7DA.tmp.exe
1832	winlogon.exe
4284	tmp1737.tmp.exe
4784	tmp1737.tmp.exe
4336	winlogon.exe
1436	tmp32BE.tmp.exe
4324	tmp32BE.tmp.exe
5000	winlogon.exe
2508	winlogon.exe
3888	tmp7FA6.tmp.exe
2032	tmp7FA6.tmp.exe
1836	winlogon.exe
4784	tmpB0B8.tmp.exe
2764	tmpB0B8.tmp.exe
3904	winlogon.exe
4796	tmpE267.tmp.exe
3816	tmpE267.tmp.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 13 IoCs

Processes:

tmpAFBC.tmp.exetmpE455.tmp.exetmp150A.tmp.exetmp4580.tmp.exetmp630A.tmp.exetmp7FCA.tmp.exetmpB84F.tmp.exetmpE7DA.tmp.exetmp1737.tmp.exetmp32BE.tmp.exetmp7FA6.tmp.exetmpB0B8.tmp.exetmpE267.tmp.exe

description	pid	process	target process
PID 1236 set thread context of 1528	1236	tmpAFBC.tmp.exe	tmpAFBC.tmp.exe
PID 4336 set thread context of 3980	4336	tmpE455.tmp.exe	tmpE455.tmp.exe
PID 4928 set thread context of 4668	4928	tmp150A.tmp.exe	tmp150A.tmp.exe
PID 3784 set thread context of 3520	3784	tmp4580.tmp.exe	tmp4580.tmp.exe
PID 1108 set thread context of 4972	1108	tmp630A.tmp.exe	tmp630A.tmp.exe
PID 2380 set thread context of 2708	2380	tmp7FCA.tmp.exe	tmp7FCA.tmp.exe
PID 744 set thread context of 4500	744	tmpB84F.tmp.exe	tmpB84F.tmp.exe
PID 4016 set thread context of 4876	4016	tmpE7DA.tmp.exe	tmpE7DA.tmp.exe
PID 4284 set thread context of 4784	4284	tmp1737.tmp.exe	tmp1737.tmp.exe
PID 1436 set thread context of 4324	1436	tmp32BE.tmp.exe	tmp32BE.tmp.exe
PID 3888 set thread context of 2032	3888	tmp7FA6.tmp.exe	tmp7FA6.tmp.exe
PID 4784 set thread context of 2764	4784	tmpB0B8.tmp.exe	tmpB0B8.tmp.exe
PID 4796 set thread context of 3816	4796	tmpE267.tmp.exe	tmpE267.tmp.exe

Drops file in Program Files directory 12 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Program Files\Google\backgroundTaskHost.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Program Files\Google\eddb19405b7ce1	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\RCXAB54.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXB404.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File opened for modification	C:\Program Files\Google\RCXBB1B.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File opened for modification	C:\Program Files\Google\backgroundTaskHost.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\cc11b995f2a76d	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Program Files\Windows Photo Viewer\9e8d7a4ca61bd9	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe

Drops file in Windows directory 12 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe

description	ioc	process
File opened for modification	C:\Windows\Web\Screen\RCXB686.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Windows\Vss\Writers\Application\wininit.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Windows\Web\Screen\dllhost.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Windows\Web\Screen\5940a34987c991	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCXAF6D.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File opened for modification	C:\Windows\Vss\Writers\Application\wininit.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System\a67e70d6e6bdcf4ac31a986148d455c4\System.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Windows\Vss\Writers\Application\56085415360792	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System\a67e70d6e6bdcf4ac31a986148d455c4\System.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System\a67e70d6e6bdcf4ac31a986148d455c4\27d1bcfc3c54e0	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File opened for modification	C:\Windows\Web\Screen\dllhost.exe	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System\a67e70d6e6bdcf4ac31a986148d455c4\RCXBD9D.tmp	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpAFBC.tmp.exetmpE455.tmp.exetmp150A.tmp.exetmp4580.tmp.exetmp7FA6.tmp.exetmpE267.tmp.exetmp630A.tmp.exetmp7FCA.tmp.exetmpB84F.tmp.exetmpE7DA.tmp.exetmp1737.tmp.exetmp32BE.tmp.exetmpB0B8.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAFBC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE455.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp150A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4580.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7FA6.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE267.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp630A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7FCA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB84F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE7DA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1737.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp32BE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB0B8.tmp.exe

Modifies registry class 15 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4640	schtasks.exe
868	schtasks.exe
380	schtasks.exe
2476	schtasks.exe
3840	schtasks.exe
1536	schtasks.exe
1004	schtasks.exe
3032	schtasks.exe
3956	schtasks.exe
1776	schtasks.exe
2356	schtasks.exe
2804	schtasks.exe
3016	schtasks.exe
3460	schtasks.exe
396	schtasks.exe
2228	schtasks.exe
5000	schtasks.exe
3972	schtasks.exe
1052	schtasks.exe
744	schtasks.exe
3964	schtasks.exe
1916	schtasks.exe
4336	schtasks.exe
3732	schtasks.exe
2308	schtasks.exe
1060	schtasks.exe
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	process
388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
3332	powershell.exe
3332	powershell.exe
3840	powershell.exe
3840	powershell.exe
744	powershell.exe
744	powershell.exe
720	powershell.exe
720	powershell.exe
216	powershell.exe
216	powershell.exe
1988	powershell.exe
1988	powershell.exe
1424	powershell.exe
1424	powershell.exe
1808	powershell.exe
1808	powershell.exe
2476	powershell.exe
2476	powershell.exe
3316	powershell.exe
3316	powershell.exe
1808	powershell.exe
2476	powershell.exe
720	powershell.exe
2356	powershell.exe
2356	powershell.exe
1988	powershell.exe
216	powershell.exe
744	powershell.exe
3332	powershell.exe
3840	powershell.exe
1424	powershell.exe
3316	powershell.exe
2356	powershell.exe
4432	winlogon.exe
1448	winlogon.exe
1348	winlogon.exe
4796	winlogon.exe
3600	winlogon.exe
4924	winlogon.exe
4788	winlogon.exe
4180	winlogon.exe
1832	winlogon.exe
4336	winlogon.exe
5000	winlogon.exe
5000	winlogon.exe
2508	winlogon.exe
2508	winlogon.exe
1836	winlogon.exe
1836	winlogon.exe
3904	winlogon.exe
3904	winlogon.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	4432	winlogon.exe
Token: SeDebugPrivilege	1448	winlogon.exe
Token: SeDebugPrivilege	1348	winlogon.exe
Token: SeDebugPrivilege	4796	winlogon.exe
Token: SeDebugPrivilege	3600	winlogon.exe
Token: SeDebugPrivilege	4924	winlogon.exe
Token: SeDebugPrivilege	4788	winlogon.exe
Token: SeDebugPrivilege	4180	winlogon.exe
Token: SeDebugPrivilege	1832	winlogon.exe
Token: SeDebugPrivilege	4336	winlogon.exe
Token: SeDebugPrivilege	5000	winlogon.exe
Token: SeDebugPrivilege	2508	winlogon.exe
Token: SeDebugPrivilege	1836	winlogon.exe
Token: SeDebugPrivilege	3904	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exetmpAFBC.tmp.execmd.exewinlogon.exetmpE455.tmp.exeWScript.exewinlogon.exetmp150A.tmp.exe

description	pid	process	target process
PID 388 wrote to memory of 1236	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	tmpAFBC.tmp.exe
PID 388 wrote to memory of 1236	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	tmpAFBC.tmp.exe
PID 388 wrote to memory of 1236	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	tmpAFBC.tmp.exe
PID 1236 wrote to memory of 1528	1236	tmpAFBC.tmp.exe	tmpAFBC.tmp.exe
PID 1236 wrote to memory of 1528	1236	tmpAFBC.tmp.exe	tmpAFBC.tmp.exe
PID 1236 wrote to memory of 1528	1236	tmpAFBC.tmp.exe	tmpAFBC.tmp.exe
PID 1236 wrote to memory of 1528	1236	tmpAFBC.tmp.exe	tmpAFBC.tmp.exe
PID 1236 wrote to memory of 1528	1236	tmpAFBC.tmp.exe	tmpAFBC.tmp.exe
PID 1236 wrote to memory of 1528	1236	tmpAFBC.tmp.exe	tmpAFBC.tmp.exe
PID 1236 wrote to memory of 1528	1236	tmpAFBC.tmp.exe	tmpAFBC.tmp.exe
PID 388 wrote to memory of 3332	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 3332	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 2356	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 2356	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 1424	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 1424	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 2476	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 2476	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 720	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 720	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 1988	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 1988	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 3840	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 3840	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 3316	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 3316	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 744	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 744	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 1808	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 1808	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 216	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 216	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	powershell.exe
PID 388 wrote to memory of 4472	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	cmd.exe
PID 388 wrote to memory of 4472	388	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe	cmd.exe
PID 4472 wrote to memory of 616	4472	cmd.exe	w32tm.exe
PID 4472 wrote to memory of 616	4472	cmd.exe	w32tm.exe
PID 4472 wrote to memory of 4432	4472	cmd.exe	winlogon.exe
PID 4472 wrote to memory of 4432	4472	cmd.exe	winlogon.exe
PID 4432 wrote to memory of 1496	4432	winlogon.exe	WScript.exe
PID 4432 wrote to memory of 1496	4432	winlogon.exe	WScript.exe
PID 4432 wrote to memory of 1988	4432	winlogon.exe	WScript.exe
PID 4432 wrote to memory of 1988	4432	winlogon.exe	WScript.exe
PID 4432 wrote to memory of 4336	4432	winlogon.exe	tmpE455.tmp.exe
PID 4432 wrote to memory of 4336	4432	winlogon.exe	tmpE455.tmp.exe
PID 4432 wrote to memory of 4336	4432	winlogon.exe	tmpE455.tmp.exe
PID 4336 wrote to memory of 3980	4336	tmpE455.tmp.exe	tmpE455.tmp.exe
PID 4336 wrote to memory of 3980	4336	tmpE455.tmp.exe	tmpE455.tmp.exe
PID 4336 wrote to memory of 3980	4336	tmpE455.tmp.exe	tmpE455.tmp.exe
PID 4336 wrote to memory of 3980	4336	tmpE455.tmp.exe	tmpE455.tmp.exe
PID 4336 wrote to memory of 3980	4336	tmpE455.tmp.exe	tmpE455.tmp.exe
PID 4336 wrote to memory of 3980	4336	tmpE455.tmp.exe	tmpE455.tmp.exe
PID 4336 wrote to memory of 3980	4336	tmpE455.tmp.exe	tmpE455.tmp.exe
PID 1496 wrote to memory of 1448	1496	WScript.exe	winlogon.exe
PID 1496 wrote to memory of 1448	1496	WScript.exe	winlogon.exe
PID 1448 wrote to memory of 4844	1448	winlogon.exe	WScript.exe
PID 1448 wrote to memory of 4844	1448	winlogon.exe	WScript.exe
PID 1448 wrote to memory of 4620	1448	winlogon.exe	WScript.exe
PID 1448 wrote to memory of 4620	1448	winlogon.exe	WScript.exe
PID 1448 wrote to memory of 4928	1448	winlogon.exe	tmp150A.tmp.exe
PID 1448 wrote to memory of 4928	1448	winlogon.exe	tmp150A.tmp.exe
PID 1448 wrote to memory of 4928	1448	winlogon.exe	tmp150A.tmp.exe
PID 4928 wrote to memory of 4668	4928	tmp150A.tmp.exe	tmp150A.tmp.exe
PID 4928 wrote to memory of 4668	4928	tmp150A.tmp.exe	tmp150A.tmp.exe
PID 4928 wrote to memory of 4668	4928	tmp150A.tmp.exe	tmp150A.tmp.exe

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe
"C:\Users\Admin\AppData\Local\Temp\6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:388
- C:\Users\Admin\AppData\Local\Temp\tmpAFBC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAFBC.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\tmpAFBC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpAFBC.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NviAgREO5T.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:616
- - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4432
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\654cfdd6-e317-44cd-899d-514490ea6b7b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1448
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6db3d52e-2880-4e92-9c7b-de45b8a0f4e6.vbs"
        6⤵
        
        PID:4844
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b959935-3da8-4e89-8b27-99dab1c0aeb1.vbs"
        8⤵
        
        PID:4516
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5e5da77-672c-43ac-a1ea-b86e50fe4811.vbs"
        10⤵
        
        PID:224
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e4c45f3-a9f8-4c79-b932-af19090b4ed6.vbs"
        12⤵
        
        PID:1972
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e46b761-fe9f-4be6-badb-e06564917733.vbs"
        14⤵
        
        PID:1548
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08d9a6f8-43b4-488d-b101-e7c82524776a.vbs"
        16⤵
        
        PID:5048
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e347f049-cb18-4471-82cf-f1d7d679ad6a.vbs"
        18⤵
        
        PID:3572
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\922bcf45-0fbb-4e98-af6f-27d7caabb736.vbs"
        20⤵
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebe43d5b-3645-429e-bdd4-e915c2bd99c1.vbs"
        22⤵
        
        PID:3332
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6637d18-0caf-4b72-b66f-8d9689dfb9e2.vbs"
        24⤵
        
        PID:3444
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5449a29e-8fc6-4274-b914-fa93c3ede687.vbs"
        26⤵
        
        PID:4196
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e063232a-94e0-46ee-b2f0-a293ee75c1b9.vbs"
        28⤵
        
        PID:4552
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe"
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9b2b458-749d-421a-819f-a6148e2821b5.vbs"
        30⤵
        
        PID:4180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2aa3dd39-991f-4778-b45d-a990c51d736e.vbs"
        30⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmpE267.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE267.tmp.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmpE267.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE267.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a933ec0-1b40-47b4-9250-076dfb1aada7.vbs"
        28⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmpB0B8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB0B8.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmpB0B8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB0B8.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adb064f3-915a-4dfe-af98-8e0ac2f10288.vbs"
        26⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7FA6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7FA6.tmp.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7FA6.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7FA6.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cbd028e-f0c0-4672-817c-b9ba28347d67.vbs"
        24⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b926902-9c98-4a1e-9236-dedccd612e3e.vbs"
        22⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp32BE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp32BE.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp32BE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp32BE.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27dcc334-beb8-475b-8fdf-ca71ca5e1182.vbs"
        20⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmp1737.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1737.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp1737.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1737.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a05dd7b-e659-432e-9641-147a78826c1e.vbs"
        18⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmpE7DA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE7DA.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmpE7DA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE7DA.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7068e693-5a1f-4209-bca1-99d6c35e4edb.vbs"
        16⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmpB84F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB84F.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmpB84F.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB84F.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2595e02-6966-4a1e-aa2d-31b2add69ecb.vbs"
        14⤵
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\278eac50-18f6-4c0e-b1ca-ccac6c1f80b5.vbs"
        12⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7FCA.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0a10a42-4285-48e7-866b-cba426ae9b2d.vbs"
        10⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp630A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp630A.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp630A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp630A.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f159676a-fcf4-4aaf-a04e-ff9e8e115b1a.vbs"
        8⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp4580.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4580.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp4580.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4580.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:3520
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c2e1829-4c8a-4e62-af60-9eabdeecd3f8.vbs"
        6⤵
        
        PID:4620
      - C:\Users\Admin\AppData\Local\Temp\tmp150A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp150A.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp150A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp150A.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4668
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1cccdff-1eaa-41b5-bea3-2967193520af.vbs"
      4⤵
      PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\tmpE455.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE455.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Users\Admin\AppData\Local\Temp\tmpE455.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE455.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Screen\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\Screen\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\Screen\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Google\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System\a67e70d6e6bdcf4ac31a986148d455c4\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System\a67e70d6e6bdcf4ac31a986148d455c4\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System\a67e70d6e6bdcf4ac31a986148d455c4\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe

Filesize
4.9MB

MD5
98f6d1c7482e03953bd88b57feb7d6b0

SHA1
437f469f92fea1fe222fb031353065152eb4d95e

SHA256
6b446d1d3f1ed5c7cc712e7c6516ad5e620a94eadb0023abb3961afc17c82890

SHA512
240e23c6a92008588b5e70969bbc94b2adfb12fb74e5f31ee4d3fc3b918b160bb13868ab29f14b29029a5889f0aff635a97507c6c1ae13dcadaaa6998d6f8165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
806278521175098c2e659c9417b99418

SHA1
99ca63d64a4eb5e542dc4b874cd66645d3044703

SHA256
c5247cef711c49da92396551928cfcdc3fce165d55d83c3202e006ebf492697e

SHA512
394e97bfb29997b57db49e6af3f04e3fe0ee31dc9a075892792286323ebb1a9d5b045f5e62eca9952ce47edb90798aa3847c4d2b4252768e93f61ed929c12f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
332B

MD5
59c3ab63ac7d4a904864d9a51fa7d955

SHA1
b9d5a24947ece3b115014b1822abba8e1c7e14f7

SHA256
00bd5fed579eb92cdb366cc449e773808555b2b8fb2a58cc9a10eadc06886931

SHA512
decc2d9bf4fa1075433a260927ab74614ce158b2c5f569ddf9cf6c09f22901f11c1c970f61850c7fe001ae4d50a64ccdb05cde6dbb380f10001647594639e6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\08d9a6f8-43b4-488d-b101-e7c82524776a.vbs

Filesize
746B

MD5
e2d00758fb4c2b44338d8b51115fadda

SHA1
3b90abb589e7e6eedd9ca5a1be0d6edc4ef2b6fb

SHA256
cf74f5882b42b8393b3635ac8ee00ce1aa961e4c5b51848501a016c762d48d57

SHA512
cf7a4c60b7cfe8277607934e37c951b769e62e52f4fe159c6b9c1c1105ec45ee816ae4f143d3af761b99d82a37b46ea3e244d8ccf3fd7598ba9771cf599c39e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b959935-3da8-4e89-8b27-99dab1c0aeb1.vbs

Filesize
746B

MD5
2a81da6546245916010314ba86435e0f

SHA1
0faca01dea6c634ad4482e20a86b0b93a3e8fe21

SHA256
9be807be5801b59029c7f4fa398d524cf14467703480ad2df4de81b304eab4fa

SHA512
2daeab30b42809695550216a719df2bacbf8ebe04c17beecf437d067c3d4dcb392ecd4bb3725bfd9567d04e1eb05adab478bfbc61bd8f8dc8217d9e8c721387a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e4c45f3-a9f8-4c79-b932-af19090b4ed6.vbs

Filesize
746B

MD5
0e81203fa389701e8a442e376713ad5b

SHA1
4c1ce2d31fefc61c32f0aab7b54f01f532e49235

SHA256
4c520d563fdbae34436ece0311e960dc0a9bbfc620965756d069f7a4e30e0ec4

SHA512
312ef69e1929c0a0e6d5c8841274145c4642760533a7ef1f38b163ca0a0710e3b096a2aa0b52a04b70c63cacd00c54d66279f7591f8c10088066514446b6df68

Download Submit
C:\Users\Admin\AppData\Local\Temp\654cfdd6-e317-44cd-899d-514490ea6b7b.vbs

Filesize
746B

MD5
3b02d468b0fffeea760a7fb636c6cb7b

SHA1
8cabff4993c5268923c21a75587c555a9c3bdc5c

SHA256
dace5d47e693a1a4df42d485b4c9a9add61f6d1e77b8a3d46dd1803641aa90ad

SHA512
ed3994f2fecdb9b831febe3589556200cbd1fe75e7a9a77d0d163553a255a5804723f3badf77cb3fa58510a96a577636060297041f31facce0f6fcb30798da55

Download Submit
C:\Users\Admin\AppData\Local\Temp\6db3d52e-2880-4e92-9c7b-de45b8a0f4e6.vbs

Filesize
746B

MD5
2b981c7eb253a975721fe014f2352c3f

SHA1
aaa9e1560239886fab2d145817d804f9a6339586

SHA256
167c8d5a32d1b1e46b000a25f9b64220f0d3e4db339c47f71681d3fa24a94956

SHA512
5e7a624c9eaaaafb811207235db1ed810d9eb711402687617ee144d9910df81a43c0aed401c4aa0d427cf6d0119f70be15c5809e5ff4a72a8d36fad200edcfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e46b761-fe9f-4be6-badb-e06564917733.vbs

Filesize
746B

MD5
7090949ec171d861d895335f26b90c1a

SHA1
56e964d8eb31d5bb75d51b042d11baa91052b0d9

SHA256
6b366722eae5621911c329976fafe1486dde4b580d4a19bf1d0d475e1d259902

SHA512
c817b2f814287c266716d6056572f988f55cb5ebcb518fb5790baaa452a2df2ee55ebaca74290420d9479d869889514f61bd5cea72717282069bf60682567cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NviAgREO5T.bat

Filesize
235B

MD5
35b537c49b22211ccd415f1c9766577c

SHA1
a736597263e084e113eb7699529e24710e7e31b9

SHA256
d8b7fcd077bc0d8909e534d7f757161f74786b41852ca48ad1de26a4c20657a2

SHA512
f7a19979db55daacf200363807acf4f1bba3c88f439209aede12fbe89e3db12a957b49ab4d7906d5616b9c7c022a6282417f50f7b79afbb2d20cac4723bd73b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_isrmxrzc.2ws.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1cccdff-1eaa-41b5-bea3-2967193520af.vbs

Filesize
522B

MD5
f5645990d9a5794160a83e5ceda87550

SHA1
984e09c01862113bca63da7363d096656135daa4

SHA256
c758f8d6cb994a364178f55836ecd2356f47cb1a385ad739a11e1201c20f7792

SHA512
6dde867683344687f1e21a492da50eaa162564c46a42d54b8adbb5884cb11b27f52e37b43cf1082e0d08e736d70987ef6d1aff634c4a7436a5bacabc56c07295

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5e5da77-672c-43ac-a1ea-b86e50fe4811.vbs

Filesize
746B

MD5
e1ce228ccf67e325661bae9d43309027

SHA1
a3ba04933325df39f68966f9fbf9f634bc72911e

SHA256
33af3af35f435cff8620ce57ee642e18b33d9daa57e501c281e6faedc258c049

SHA512
d21471540b000b1c773ea30c3a8b9c668708a61726ba68ea03c6b2e6ae8644f62dc1248ffaac6730250346f1dd0115b29abb629f0a44c8465cc6c37d15a79ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFBC.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System\a67e70d6e6bdcf4ac31a986148d455c4\System.exe

Filesize
4.9MB

MD5
a7e879741b9e243924ab5672b54515b9

SHA1
9bbebd54c8662aa333e8997053560cc788dbdca3

SHA256
3b15c4609d08dbfec2c9b7499a585750a91e0ee99dcbe6afbc05a6013c973e0c

SHA512
99bd30e6beb158bda9ee2b6a0750d5e49dbbf7796a4f1c8ae5d9300b408f10f661f8ea66faac7b5642080d9438184b7d60a30ed4e4ff356bebe8783c0440e6c3

Download Submit
memory/388-14-0x000000001C090000-0x000000001C09E000-memory.dmp

Filesize
56KB

Download
memory/388-7-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

Filesize
64KB

Download
memory/388-115-0x00007FFCBBE70000-0x00007FFCBC931000-memory.dmp

Filesize
10.8MB

Download
memory/388-1-0x0000000000680000-0x0000000000B74000-memory.dmp

Filesize
5.0MB

Download
memory/388-17-0x000000001C110000-0x000000001C118000-memory.dmp

Filesize
32KB

Download
memory/388-18-0x000000001C220000-0x000000001C22C000-memory.dmp

Filesize
48KB

Download
memory/388-16-0x000000001C100000-0x000000001C108000-memory.dmp

Filesize
32KB

Download
memory/388-15-0x000000001C0A0000-0x000000001C0AE000-memory.dmp

Filesize
56KB

Download
memory/388-12-0x000000001C630000-0x000000001CB58000-memory.dmp

Filesize
5.2MB

Download
memory/388-0-0x00007FFCBBE73000-0x00007FFCBBE75000-memory.dmp

Filesize
8KB

Download
memory/388-13-0x000000001C080000-0x000000001C08A000-memory.dmp

Filesize
40KB

Download
memory/388-11-0x000000001C070000-0x000000001C082000-memory.dmp

Filesize
72KB

Download
memory/388-10-0x000000001C060000-0x000000001C06A000-memory.dmp

Filesize
40KB

Download
memory/388-9-0x000000001BA40000-0x000000001BA50000-memory.dmp

Filesize
64KB

Download
memory/388-8-0x000000001BA20000-0x000000001BA36000-memory.dmp

Filesize
88KB

Download
memory/388-2-0x00007FFCBBE70000-0x00007FFCBC931000-memory.dmp

Filesize
10.8MB

Download
memory/388-5-0x000000001C0B0000-0x000000001C100000-memory.dmp

Filesize
320KB

Download
memory/388-3-0x000000001B8F0000-0x000000001BA1E000-memory.dmp

Filesize
1.2MB

Download
memory/388-4-0x000000001B8B0000-0x000000001B8CC000-memory.dmp

Filesize
112KB

Download
memory/388-6-0x0000000002D90000-0x0000000002D98000-memory.dmp

Filesize
32KB

Download
memory/744-130-0x000001E187410000-0x000001E187432000-memory.dmp

Filesize
136KB

Download
memory/1348-314-0x000000001CA30000-0x000000001CB32000-memory.dmp

Filesize
1.0MB

Download
memory/1448-290-0x000000001C4B0000-0x000000001C5B2000-memory.dmp

Filesize
1.0MB

Download
memory/1448-289-0x000000001C4B0000-0x000000001C5B2000-memory.dmp

Filesize
1.0MB

Download
memory/1528-69-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3600-340-0x000000001B6B0000-0x000000001B6C2000-memory.dmp

Filesize
72KB

Download
memory/3600-363-0x000000001CD10000-0x000000001CE12000-memory.dmp

Filesize
1.0MB

Download
memory/3904-489-0x000000001B550000-0x000000001B562000-memory.dmp

Filesize
72KB

Download
memory/4788-377-0x000000001BDE0000-0x000000001BDF2000-memory.dmp

Filesize
72KB

Download
memory/4796-338-0x000000001C8C0000-0x000000001C9C2000-memory.dmp

Filesize
1.0MB

Download
memory/4924-375-0x000000001C0E0000-0x000000001C1E2000-memory.dmp

Filesize
1.0MB

Download