colibri | 7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142d

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Size

4.9MB
MD5

cdd2f8f721e6359a948f6b6c4d1d5cd0
SHA1

b30e80a275147eb27e916e11fcb80233f6b9cf73
SHA256

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142d
SHA512

04e0ce6889b21c8560206b938aa3223d7ab4e0a874e74a79cd8e365b8adafe71523da0f27f4717b49bae01fc20a0ec7d3002a944bff5817e1d02f3db2b98524d
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	1584	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1584	schtasks.exe

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

fontdrvhost.exefontdrvhost.exe7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2996-2-0x000000001B6D0000-0x000000001B7FE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2216	powershell.exe
812	powershell.exe
2524	powershell.exe
1364	powershell.exe
4892	powershell.exe
2816	powershell.exe
884	powershell.exe
1416	powershell.exe
2660	powershell.exe
4592	powershell.exe
3276	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 34 IoCs

Processes:

tmp9481.tmp.exetmp9481.tmp.exefontdrvhost.exetmpCD33.tmp.exetmpCD33.tmp.exefontdrvhost.exetmpB.tmp.exetmpB.tmp.exefontdrvhost.exetmp1BC0.tmp.exetmp1BC0.tmp.exetmp1BC0.tmp.exefontdrvhost.exetmp3767.tmp.exetmp3767.tmp.exefontdrvhost.exetmp6741.tmp.exetmp6741.tmp.exefontdrvhost.exetmp82B8.tmp.exetmp82B8.tmp.exefontdrvhost.exetmpA033.tmp.exetmpA033.tmp.exefontdrvhost.exefontdrvhost.exetmpEBA3.tmp.exetmpEBA3.tmp.exefontdrvhost.exetmp1BFA.tmp.exetmp1BFA.tmp.exefontdrvhost.exetmp4C42.tmp.exetmp4C42.tmp.exe

pid	process
4572	tmp9481.tmp.exe
1808	tmp9481.tmp.exe
4828	fontdrvhost.exe
2276	tmpCD33.tmp.exe
2268	tmpCD33.tmp.exe
1496	fontdrvhost.exe
4464	tmpB.tmp.exe
2500	tmpB.tmp.exe
736	fontdrvhost.exe
1076	tmp1BC0.tmp.exe
2204	tmp1BC0.tmp.exe
2868	tmp1BC0.tmp.exe
916	fontdrvhost.exe
2732	tmp3767.tmp.exe
556	tmp3767.tmp.exe
4992	fontdrvhost.exe
464	tmp6741.tmp.exe
4028	tmp6741.tmp.exe
516	fontdrvhost.exe
1544	tmp82B8.tmp.exe
1808	tmp82B8.tmp.exe
1408	fontdrvhost.exe
3184	tmpA033.tmp.exe
3276	tmpA033.tmp.exe
376	fontdrvhost.exe
2560	fontdrvhost.exe
860	tmpEBA3.tmp.exe
2088	tmpEBA3.tmp.exe
1300	fontdrvhost.exe
3760	tmp1BFA.tmp.exe
1716	tmp1BFA.tmp.exe
2132	fontdrvhost.exe
4728	tmp4C42.tmp.exe
1568	tmp4C42.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fontdrvhost.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

tmp9481.tmp.exetmpCD33.tmp.exetmpB.tmp.exetmp1BC0.tmp.exetmp3767.tmp.exetmp6741.tmp.exetmp82B8.tmp.exetmpA033.tmp.exetmpEBA3.tmp.exetmp1BFA.tmp.exetmp4C42.tmp.exe

description	pid	process	target process
PID 4572 set thread context of 1808	4572	tmp9481.tmp.exe	tmp9481.tmp.exe
PID 2276 set thread context of 2268	2276	tmpCD33.tmp.exe	tmpCD33.tmp.exe
PID 4464 set thread context of 2500	4464	tmpB.tmp.exe	tmpB.tmp.exe
PID 2204 set thread context of 2868	2204	tmp1BC0.tmp.exe	tmp1BC0.tmp.exe
PID 2732 set thread context of 556	2732	tmp3767.tmp.exe	tmp3767.tmp.exe
PID 464 set thread context of 4028	464	tmp6741.tmp.exe	tmp6741.tmp.exe
PID 1544 set thread context of 1808	1544	tmp82B8.tmp.exe	tmp82B8.tmp.exe
PID 3184 set thread context of 3276	3184	tmpA033.tmp.exe	tmpA033.tmp.exe
PID 860 set thread context of 2088	860	tmpEBA3.tmp.exe	tmpEBA3.tmp.exe
PID 3760 set thread context of 1716	3760	tmp1BFA.tmp.exe	tmp1BFA.tmp.exe
PID 4728 set thread context of 1568	4728	tmp4C42.tmp.exe	tmp4C42.tmp.exe

Drops file in Program Files directory 20 IoCs

Processes:

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\dwm.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Windows NT\6cb0b6c459d5d3	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\OfficeClickToRun.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\e6c9b481da804f	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\RCX9D22.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\dwm.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Common Files\Services\9e8d7a4ca61bd9	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\OfficeClickToRun.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXB518.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXB303.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e6c9b481da804f	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\backgroundTaskHost.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXA1C7.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\backgroundTaskHost.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXB799.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\eddb19405b7ce1	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe

Drops file in Windows directory 12 IoCs

Processes:

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe

description	ioc	process
File opened for modification	C:\Windows\Provisioning\RCX92BB.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Windows\es-ES\RCX94C1.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Windows\TAPI\dwm.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Windows\Provisioning\upfc.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Windows\Provisioning\ea1d8f6d871115	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Windows\es-ES\backgroundTaskHost.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Windows\es-ES\eddb19405b7ce1	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Windows\TAPI\dwm.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Windows\TAPI\6cb0b6c459d5d3	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Windows\es-ES\backgroundTaskHost.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File opened for modification	C:\Windows\TAPI\RCXAC6A.tmp	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
File created	C:\Windows\Provisioning\upfc.exe	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpCD33.tmp.exetmpB.tmp.exetmp1BC0.tmp.exetmp1BC0.tmp.exetmp3767.tmp.exetmp6741.tmp.exetmp82B8.tmp.exetmp9481.tmp.exetmpEBA3.tmp.exetmp1BFA.tmp.exetmp4C42.tmp.exetmpA033.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCD33.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1BC0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1BC0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3767.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6741.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp82B8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9481.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEBA3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1BFA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4C42.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA033.tmp.exe

Modifies registry class 12 IoCs

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1272	schtasks.exe
3456	schtasks.exe
4116	schtasks.exe
3680	schtasks.exe
1736	schtasks.exe
2320	schtasks.exe
2724	schtasks.exe
3048	schtasks.exe
1720	schtasks.exe
2832	schtasks.exe
3068	schtasks.exe
2824	schtasks.exe
2164	schtasks.exe
2864	schtasks.exe
4488	schtasks.exe
4556	schtasks.exe
3756	schtasks.exe
2276	schtasks.exe
776	schtasks.exe
4120	schtasks.exe
3916	schtasks.exe
2096	schtasks.exe
4364	schtasks.exe
4976	schtasks.exe
3300	schtasks.exe
4304	schtasks.exe
2748	schtasks.exe
4152	schtasks.exe
944	schtasks.exe
2432	schtasks.exe
512	schtasks.exe
4632	schtasks.exe
4696	schtasks.exe
4896	schtasks.exe
2188	schtasks.exe
4616	schtasks.exe
1412	schtasks.exe
2200	schtasks.exe
1172	schtasks.exe
920	schtasks.exe
5012	schtasks.exe
3488	schtasks.exe
3264	schtasks.exe
3716	schtasks.exe
1716	schtasks.exe
3620	schtasks.exe
1740	schtasks.exe
464	schtasks.exe
4216	schtasks.exe
4028	schtasks.exe
2172	schtasks.exe
228	schtasks.exe
3944	schtasks.exe
4808	schtasks.exe
2312	schtasks.exe
2072	schtasks.exe
1640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
3276	powershell.exe
3276	powershell.exe
2524	powershell.exe
2524	powershell.exe
2216	powershell.exe
2216	powershell.exe
1416	powershell.exe
1416	powershell.exe
812	powershell.exe
812	powershell.exe
1364	powershell.exe
1364	powershell.exe
4892	powershell.exe
4892	powershell.exe
2816	powershell.exe
2816	powershell.exe
884	powershell.exe
884	powershell.exe
2660	powershell.exe
2660	powershell.exe
4592	powershell.exe
4592	powershell.exe
2216	powershell.exe
2816	powershell.exe
3276	powershell.exe
2524	powershell.exe
4892	powershell.exe
812	powershell.exe
1416	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4828	fontdrvhost.exe
Token: SeDebugPrivilege	1496	fontdrvhost.exe
Token: SeDebugPrivilege	736	fontdrvhost.exe
Token: SeDebugPrivilege	916	fontdrvhost.exe
Token: SeDebugPrivilege	4992	fontdrvhost.exe
Token: SeDebugPrivilege	516	fontdrvhost.exe
Token: SeDebugPrivilege	1408	fontdrvhost.exe
Token: SeDebugPrivilege	376	fontdrvhost.exe
Token: SeDebugPrivilege	2560	fontdrvhost.exe
Token: SeDebugPrivilege	1300	fontdrvhost.exe
Token: SeDebugPrivilege	2132	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exetmp9481.tmp.exefontdrvhost.exetmpCD33.tmp.exeWScript.exefontdrvhost.exetmpB.tmp.exe

description	pid	process	target process
PID 2996 wrote to memory of 4572	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	tmp9481.tmp.exe
PID 2996 wrote to memory of 4572	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	tmp9481.tmp.exe
PID 2996 wrote to memory of 4572	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	tmp9481.tmp.exe
PID 4572 wrote to memory of 1808	4572	tmp9481.tmp.exe	tmp9481.tmp.exe
PID 4572 wrote to memory of 1808	4572	tmp9481.tmp.exe	tmp9481.tmp.exe
PID 4572 wrote to memory of 1808	4572	tmp9481.tmp.exe	tmp9481.tmp.exe
PID 4572 wrote to memory of 1808	4572	tmp9481.tmp.exe	tmp9481.tmp.exe
PID 4572 wrote to memory of 1808	4572	tmp9481.tmp.exe	tmp9481.tmp.exe
PID 4572 wrote to memory of 1808	4572	tmp9481.tmp.exe	tmp9481.tmp.exe
PID 4572 wrote to memory of 1808	4572	tmp9481.tmp.exe	tmp9481.tmp.exe
PID 2996 wrote to memory of 4592	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 4592	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 3276	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 3276	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 2524	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 2524	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 1364	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 1364	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 2216	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 2216	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 4892	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 4892	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 2816	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 2816	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 884	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 884	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 1416	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 1416	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 2660	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 2660	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 812	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 812	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	powershell.exe
PID 2996 wrote to memory of 4828	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	fontdrvhost.exe
PID 2996 wrote to memory of 4828	2996	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe	fontdrvhost.exe
PID 4828 wrote to memory of 2116	4828	fontdrvhost.exe	WScript.exe
PID 4828 wrote to memory of 2116	4828	fontdrvhost.exe	WScript.exe
PID 4828 wrote to memory of 4724	4828	fontdrvhost.exe	WScript.exe
PID 4828 wrote to memory of 4724	4828	fontdrvhost.exe	WScript.exe
PID 4828 wrote to memory of 2276	4828	fontdrvhost.exe	tmpCD33.tmp.exe
PID 4828 wrote to memory of 2276	4828	fontdrvhost.exe	tmpCD33.tmp.exe
PID 4828 wrote to memory of 2276	4828	fontdrvhost.exe	tmpCD33.tmp.exe
PID 2276 wrote to memory of 2268	2276	tmpCD33.tmp.exe	tmpCD33.tmp.exe
PID 2276 wrote to memory of 2268	2276	tmpCD33.tmp.exe	tmpCD33.tmp.exe
PID 2276 wrote to memory of 2268	2276	tmpCD33.tmp.exe	tmpCD33.tmp.exe
PID 2276 wrote to memory of 2268	2276	tmpCD33.tmp.exe	tmpCD33.tmp.exe
PID 2276 wrote to memory of 2268	2276	tmpCD33.tmp.exe	tmpCD33.tmp.exe
PID 2276 wrote to memory of 2268	2276	tmpCD33.tmp.exe	tmpCD33.tmp.exe
PID 2276 wrote to memory of 2268	2276	tmpCD33.tmp.exe	tmpCD33.tmp.exe
PID 2116 wrote to memory of 1496	2116	WScript.exe	fontdrvhost.exe
PID 2116 wrote to memory of 1496	2116	WScript.exe	fontdrvhost.exe
PID 1496 wrote to memory of 2876	1496	fontdrvhost.exe	WScript.exe
PID 1496 wrote to memory of 2876	1496	fontdrvhost.exe	WScript.exe
PID 1496 wrote to memory of 2912	1496	fontdrvhost.exe	WScript.exe
PID 1496 wrote to memory of 2912	1496	fontdrvhost.exe	WScript.exe
PID 1496 wrote to memory of 4464	1496	fontdrvhost.exe	tmpB.tmp.exe
PID 1496 wrote to memory of 4464	1496	fontdrvhost.exe	tmpB.tmp.exe
PID 1496 wrote to memory of 4464	1496	fontdrvhost.exe	tmpB.tmp.exe
PID 4464 wrote to memory of 2500	4464	tmpB.tmp.exe	tmpB.tmp.exe
PID 4464 wrote to memory of 2500	4464	tmpB.tmp.exe	tmpB.tmp.exe
PID 4464 wrote to memory of 2500	4464	tmpB.tmp.exe	tmpB.tmp.exe
PID 4464 wrote to memory of 2500	4464	tmpB.tmp.exe	tmpB.tmp.exe
PID 4464 wrote to memory of 2500	4464	tmpB.tmp.exe	tmpB.tmp.exe
PID 4464 wrote to memory of 2500	4464	tmpB.tmp.exe	tmpB.tmp.exe
PID 4464 wrote to memory of 2500	4464	tmpB.tmp.exe	tmpB.tmp.exe

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fontdrvhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe
"C:\Users\Admin\AppData\Local\Temp\7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142dN.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2996
- C:\Users\Admin\AppData\Local\Temp\tmp9481.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9481.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\tmp9481.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9481.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:812
- C:\Recovery\WindowsRE\fontdrvhost.exe
  "C:\Recovery\WindowsRE\fontdrvhost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4828
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\260b9eef-1211-4123-a6fa-ddb7247e2df3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Recovery\WindowsRE\fontdrvhost.exe
      C:\Recovery\WindowsRE\fontdrvhost.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1496
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77a8477e-de55-410f-9f90-373e2911b458.vbs"
        5⤵
        
        PID:2876
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58213a52-6d78-43e4-aeea-78d0c36a07ce.vbs"
        7⤵
        
        PID:4428
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b02c659-95a7-459f-b8e9-7e438100f37d.vbs"
        9⤵
        
        PID:1732
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f4aa0b8-a63c-4cd0-99e7-bdf3dbace42d.vbs"
        11⤵
        
        PID:5012
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50995d0f-7440-4787-b3af-83ffad689fe6.vbs"
        13⤵
        
        PID:1412
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ee6aa99-79d4-40e2-bbad-d70e73c78342.vbs"
        15⤵
        
        PID:448
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67bf24fb-cc15-4ecb-97ae-8ae18009c375.vbs"
        17⤵
        
        PID:3152
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c504797f-1d6f-4166-9362-91c3a2d01932.vbs"
        19⤵
        
        PID:4340
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c7aa128-d14d-49c7-aae5-f6ed9fc1d672.vbs"
        21⤵
        
        PID:2720
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb8272c4-ab82-4de9-91f4-e03185698fb1.vbs"
        23⤵
        
        PID:4504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23e826d4-0d18-421c-9344-edcd664319f2.vbs"
        23⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp4C42.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4C42.tmp.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp4C42.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4C42.tmp.exe"
        24⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3172b885-f850-427d-b804-ef29930f0024.vbs"
        21⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp1BFA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1BFA.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp1BFA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1BFA.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c1e9866-160c-4a2e-861a-1c56bc3ec008.vbs"
        19⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmpEBA3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEBA3.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmpEBA3.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEBA3.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82876fad-76cc-4192-9c9a-a08e2471d6d2.vbs"
        17⤵
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a21e07f-ac8d-406b-92e9-bcdd4b17df9c.vbs"
        15⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\tmpA033.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA033.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmpA033.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA033.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37d6e1dc-546e-4574-b8f6-a5d30102a9aa.vbs"
        13⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92c7e5a6-8483-42a8-92fb-b100ebd372dc.vbs"
        11⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp6741.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6741.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\tmp6741.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6741.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ead72d63-159f-4ce3-b880-ad86dcb4a05c.vbs"
        9⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp3767.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3767.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\tmp3767.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3767.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82fab510-5d90-4dbe-9985-57e61f40fed5.vbs"
        7⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp1BC0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1BC0.tmp.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp1BC0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1BC0.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp1BC0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1BC0.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:2868
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5b7b190-3486-4903-bd4d-aeae9b6d659d.vbs"
        5⤵
        
        PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\tmpB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Users\Admin\AppData\Local\Temp\tmpB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:2500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2b1ebf9-423b-485d-8fe5-c05ab2219b67.vbs"
    3⤵
    PID:4724
- - C:\Users\Admin\AppData\Local\Temp\tmpCD33.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpCD33.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\tmpCD33.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpCD33.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Provisioning\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Local Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe

Filesize
4.9MB

MD5
f4c59b9503903052f22c793f04c35dbe

SHA1
3d3427a307d385e6bab9d487f9c074c2523b9d20

SHA256
f8e15a5f5d01ff8612a3da31247c38925707f7f530decb19864bfb53f1c42a67

SHA512
dae8c432bf27b69230d0bc5ed9a8a2f02b2ee39962259d08edcd39e6c954f78db8aefff1039942216379e95846859a3274f164d0561b2db986d17f3ca4468a72

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
4.9MB

MD5
8d13034dbcfd91556fb0a68d1dbfa846

SHA1
3ddc6e10c0e6632d2302f8e45b8a6705539cd114

SHA256
d5999519308b9b0cb533d011049a3ff0f9242396dd0d54a746ffe9bc881b948f

SHA512
eff86ef77ec667c8cbf8d3d98e9538045b713d816e7b115814a9fc613862c308cecf11c604c6f75f97bbc646a4025746d1afb32059bb88e0396a80921464e589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\RCXBA1B.tmp

Filesize
4.9MB

MD5
6ea77255075a4cf09c4d61c06c5c5072

SHA1
5cd6861f41cd55ad82443cdbc6de2f27e9440aae

SHA256
d67b0d189ec94cc508e0540bcf2d7961b3e6130fc1dc32ed8acaa65e501f679d

SHA512
5abf1868e1e5942da1399178830c0c9663eb5e337c14eb90a5fd84ee0810945cba277005678be6c3c8474a710e99706a445b012933737018f338708141f554da

Download Submit
C:\Users\Admin\AppData\Local\Temp\260b9eef-1211-4123-a6fa-ddb7247e2df3.vbs

Filesize
713B

MD5
582282cd9deb9f9ff1d56a43712932a5

SHA1
02a3aa705d1ab07974e60051ac215719bbeb5105

SHA256
7121a191943f371b8235bb94b98868abbb36e8be08272bf9b6dff39883c205b9

SHA512
e77bd7a8c0bac603351de59d91e53f7fb78fffcc0780f808d409be2f781ff63785ff2121694cc7d5201f88fbf25a21c4dc1ee69829bfbb87782ee652be200bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b02c659-95a7-459f-b8e9-7e438100f37d.vbs

Filesize
712B

MD5
1d727e4d574e9fc35de36cf116a98073

SHA1
f63687ee14b88a7a27d59149f8083514c662a60b

SHA256
1722cc2af7609ab4081a8642c825e74fbde71118aded58926ac9d8a0ca41763e

SHA512
defdfa5f17dcacab81b786dd8607c43f9bb2a2689e79950cf299c2bd77d28b3800785670c12536fd91c80b6471aa63b533c39e90e6c2d85862adf977a75752f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f4aa0b8-a63c-4cd0-99e7-bdf3dbace42d.vbs

Filesize
713B

MD5
499d1d60504387ee6e18966905b23626

SHA1
ba83349c9b0262c6219dc37ce41873334c9953ca

SHA256
082cb6ae8d7da5328771df3ee908ff0b6284be39d05e1e7f2ad2352e5f9cff53

SHA512
6d57360633146f3bff299ed7aae2ac4a37772b310a34bb8cf6d4886ac149f8917657877798784c5091d9dce9de43094b8acbef89367bc99e4fb4434dc80985c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\50995d0f-7440-4787-b3af-83ffad689fe6.vbs

Filesize
712B

MD5
8cd956f977df757805dbbd6c1f8234a1

SHA1
c73614706da474e86bbfbfb068bc4591538f28a4

SHA256
f1004bafa61263f15b29dae073715bf5ec6f6312694eaab365e25382e1dd784e

SHA512
571966dae06dead11886ac5d046b36d199ed92b9809414af0b1b3e18f9b41ed9596a3ff1080b97383603392d0f98a6b066b3f8f98430bfb1f6cb706750bb4d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\58213a52-6d78-43e4-aeea-78d0c36a07ce.vbs

Filesize
712B

MD5
000e4fa46556ae8b9f8658674bdcdb71

SHA1
33c7343014bc2ae7c5992737efd52b283be1395d

SHA256
ee025a5f8f1addf671428f1a0751458c47302d365f609371c66d3b9bbf607a76

SHA512
baed6976bd105e5428fe5de500b798860d1b170ec0e44272ae5585b43b82316b052156240a78476bcda3de71fb4acd823842d7f54f61d64af764fb0a412d1ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ee6aa99-79d4-40e2-bbad-d70e73c78342.vbs

Filesize
713B

MD5
f8a5db267e66fb21fc666baed3300640

SHA1
3e93450ce89a44a0123cd49ae8a3945dca4b0609

SHA256
5ef1c837793fcd9860df4689dadc3c6f19a9fd9019d72891abb31e673d928df8

SHA512
088d951b21d7100e633dd4ea5803d6eedd538e33e3f12ef0f5f1383fb9cc7c1c1978d62f448c64bd22a4c4d59e1b716816e58b2d6f8b52f61d0353667a236f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\77a8477e-de55-410f-9f90-373e2911b458.vbs

Filesize
713B

MD5
4b877d593c9d95b465486213793d91a1

SHA1
105b67913355f0a49f48627fee2bb65f26b1b3b5

SHA256
d6da2262ed4e30e728e490a724d8abb54d386f1d8fd4645758a68384df5a0ea5

SHA512
248a8ed99770cf000af810c1b5aa0f920ba16171d67e9c04b821d791d2661e67f2b2f09209deedc5ab6190b2d210623d264ff0875e690874c638fae15cb1fc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixtywiyj.y1e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2b1ebf9-423b-485d-8fe5-c05ab2219b67.vbs

Filesize
489B

MD5
da5e24192f73e896ffbf01eb893018b7

SHA1
4f4b91bbebcc19c48be663b3e0e08b2041b52e23

SHA256
ce1f1f9326aa0bdaa77e4d0897d1a5d0c226329338127acecbe285cf918a388d

SHA512
2acc0f4d9410844a0fbb59ac1aa45063f4df17bff36ddaeb31dc7bcd3ffe2a3dfb538c344f57f5dc507641180da8514779f2e7ff360e553ff19fb4bb75614b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9481.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Public\AccountPictures\dwm.exe

Filesize
4.9MB

MD5
cdd2f8f721e6359a948f6b6c4d1d5cd0

SHA1
b30e80a275147eb27e916e11fcb80233f6b9cf73

SHA256
7ebda0600cbde7eee0281655d6d30845ea500aeb7809b5b4d8937a374e34142d

SHA512
04e0ce6889b21c8560206b938aa3223d7ab4e0a874e74a79cd8e365b8adafe71523da0f27f4717b49bae01fc20a0ec7d3002a944bff5817e1d02f3db2b98524d

Download Submit
memory/736-423-0x000000001B340000-0x000000001B352000-memory.dmp

Filesize
72KB

Download
memory/1300-564-0x0000000003020000-0x0000000003032000-memory.dmp

Filesize
72KB

Download
memory/1808-83-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2216-245-0x00000214E3950000-0x00000214E3972000-memory.dmp

Filesize
136KB

Download
memory/2560-547-0x000000001C750000-0x000000001C762000-memory.dmp

Filesize
72KB

Download
memory/2996-11-0x000000001B690000-0x000000001B6A2000-memory.dmp

Filesize
72KB

Download
memory/2996-12-0x000000001C380000-0x000000001C8A8000-memory.dmp

Filesize
5.2MB

Download
memory/2996-148-0x00007FF8BCC83000-0x00007FF8BCC85000-memory.dmp

Filesize
8KB

Download
memory/2996-16-0x000000001BE60000-0x000000001BE68000-memory.dmp

Filesize
32KB

Download
memory/2996-18-0x000000001BE80000-0x000000001BE8C000-memory.dmp

Filesize
48KB

Download
memory/2996-1-0x00000000003E0000-0x00000000008D4000-memory.dmp

Filesize
5.0MB

Download
memory/2996-352-0x00007FF8BCC80000-0x00007FF8BD741000-memory.dmp

Filesize
10.8MB

Download
memory/2996-17-0x000000001BE70000-0x000000001BE78000-memory.dmp

Filesize
32KB

Download
memory/2996-13-0x000000001B6A0000-0x000000001B6AA000-memory.dmp

Filesize
40KB

Download
memory/2996-14-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/2996-15-0x000000001BE50000-0x000000001BE5E000-memory.dmp

Filesize
56KB

Download
memory/2996-162-0x00007FF8BCC80000-0x00007FF8BD741000-memory.dmp

Filesize
10.8MB

Download
memory/2996-0-0x00007FF8BCC83000-0x00007FF8BCC85000-memory.dmp

Filesize
8KB

Download
memory/2996-10-0x000000001B680000-0x000000001B68A000-memory.dmp

Filesize
40KB

Download
memory/2996-6-0x00000000011F0000-0x00000000011F8000-memory.dmp

Filesize
32KB

Download
memory/2996-7-0x0000000001270000-0x0000000001280000-memory.dmp

Filesize
64KB

Download
memory/2996-8-0x000000001B650000-0x000000001B666000-memory.dmp

Filesize
88KB

Download
memory/2996-9-0x000000001B670000-0x000000001B680000-memory.dmp

Filesize
64KB

Download
memory/2996-5-0x000000001BE00000-0x000000001BE50000-memory.dmp

Filesize
320KB

Download
memory/2996-4-0x00000000011D0000-0x00000000011EC000-memory.dmp

Filesize
112KB

Download
memory/2996-3-0x00007FF8BCC80000-0x00007FF8BD741000-memory.dmp

Filesize
10.8MB

Download
memory/2996-2-0x000000001B6D0000-0x000000001B7FE000-memory.dmp

Filesize
1.2MB

Download
memory/4828-351-0x0000000000770000-0x0000000000C64000-memory.dmp

Filesize
5.0MB

Download