colibri | 32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757

Analysis

max time kernel
118s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Size

4.9MB
MD5

c7de19da94b452dd1fe7ce4c67f10730
SHA1

e8232023150e75b3a88b97b52c64e4a813f27d41
SHA256

32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757
SHA512

9c86090ed26c449c78a55a95dbd7fb8443dd11a2e89d5b1140e3b44549a2ae09e9b474f6b65d065d046d2d3c87d822ddfebc44005cbc81b405b4969f0866d9bd
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	1096	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1096	schtasks.exe

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/224-2-0x000000001BAC0000-0x000000001BBEE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3924	powershell.exe
4976	powershell.exe
1944	powershell.exe
2520	powershell.exe
60	powershell.exe
4048	powershell.exe
1508	powershell.exe
4004	powershell.exe
2352	powershell.exe
520	powershell.exe
2372	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 41 IoCs

Processes:

tmpB336.tmp.exetmpB336.tmp.exesppsvc.exetmpF472.tmp.exetmpF472.tmp.exesppsvc.exetmp11ED.tmp.exetmp11ED.tmp.exesppsvc.exetmp2D93.tmp.exetmp2D93.tmp.exesppsvc.exetmp4949.tmp.exetmp4949.tmp.exesppsvc.exetmp6637.tmp.exetmp6637.tmp.exetmp6637.tmp.exetmp6637.tmp.exesppsvc.exetmp968E.tmp.exetmp968E.tmp.exetmp968E.tmp.exetmp968E.tmp.exesppsvc.exetmpC86C.tmp.exetmpC86C.tmp.exesppsvc.exetmpE412.tmp.exetmpE412.tmp.exesppsvc.exetmp138E.tmp.exetmp138E.tmp.exesppsvc.exetmp4368.tmp.exetmp4368.tmp.exetmp4368.tmp.exetmp4368.tmp.exesppsvc.exetmp72B5.tmp.exetmp72B5.tmp.exe

pid	process
2712	tmpB336.tmp.exe
2200	tmpB336.tmp.exe
1144	sppsvc.exe
2740	tmpF472.tmp.exe
4116	tmpF472.tmp.exe
4244	sppsvc.exe
1548	tmp11ED.tmp.exe
2312	tmp11ED.tmp.exe
632	sppsvc.exe
1880	tmp2D93.tmp.exe
3352	tmp2D93.tmp.exe
1928	sppsvc.exe
336	tmp4949.tmp.exe
2876	tmp4949.tmp.exe
2928	sppsvc.exe
3240	tmp6637.tmp.exe
1144	tmp6637.tmp.exe
3932	tmp6637.tmp.exe
440	tmp6637.tmp.exe
4116	sppsvc.exe
4848	tmp968E.tmp.exe
1928	tmp968E.tmp.exe
3400	tmp968E.tmp.exe
1588	tmp968E.tmp.exe
4512	sppsvc.exe
3932	tmpC86C.tmp.exe
3460	tmpC86C.tmp.exe
4624	sppsvc.exe
624	tmpE412.tmp.exe
2108	tmpE412.tmp.exe
1944	sppsvc.exe
1552	tmp138E.tmp.exe
4596	tmp138E.tmp.exe
4060	sppsvc.exe
4456	tmp4368.tmp.exe
2084	tmp4368.tmp.exe
4924	tmp4368.tmp.exe
3884	tmp4368.tmp.exe
2796	sppsvc.exe
1808	tmp72B5.tmp.exe
1116	tmp72B5.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

tmpB336.tmp.exetmpF472.tmp.exetmp11ED.tmp.exetmp2D93.tmp.exetmp4949.tmp.exetmp6637.tmp.exetmp968E.tmp.exetmpC86C.tmp.exetmpE412.tmp.exetmp138E.tmp.exetmp4368.tmp.exetmp72B5.tmp.exe

description	pid	process	target process
PID 2712 set thread context of 2200	2712	tmpB336.tmp.exe	tmpB336.tmp.exe
PID 2740 set thread context of 4116	2740	tmpF472.tmp.exe	tmpF472.tmp.exe
PID 1548 set thread context of 2312	1548	tmp11ED.tmp.exe	tmp11ED.tmp.exe
PID 1880 set thread context of 3352	1880	tmp2D93.tmp.exe	tmp2D93.tmp.exe
PID 336 set thread context of 2876	336	tmp4949.tmp.exe	tmp4949.tmp.exe
PID 3932 set thread context of 440	3932	tmp6637.tmp.exe	tmp6637.tmp.exe
PID 3400 set thread context of 1588	3400	tmp968E.tmp.exe	tmp968E.tmp.exe
PID 3932 set thread context of 3460	3932	tmpC86C.tmp.exe	tmpC86C.tmp.exe
PID 624 set thread context of 2108	624	tmpE412.tmp.exe	tmpE412.tmp.exe
PID 1552 set thread context of 4596	1552	tmp138E.tmp.exe	tmp138E.tmp.exe
PID 4924 set thread context of 3884	4924	tmp4368.tmp.exe	tmp4368.tmp.exe
PID 1808 set thread context of 1116	1808	tmp72B5.tmp.exe	tmp72B5.tmp.exe

Drops file in Program Files directory 32 IoCs

Processes:

32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files (x86)\Windows Sidebar\sppsvc.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXC02C.tmp	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCXBE08.tmp	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\sppsvc.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXCCC4.tmp	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\f3b6ecef712a24	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files (x86)\Windows Mail\5940a34987c991	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXC7C1.tmp	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\dllhost.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\5940a34987c991	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\5940a34987c991	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\5b884080fd4f94	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\ea9f0e6c9e2dcd	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXB6C2.tmp	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXBB77.tmp	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files (x86)\Windows Mail\dllhost.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXB094.tmp	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXC2AE.tmp	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files (x86)\Windows Sidebar\0a1fd5f707cd16	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp968E.tmp.exetmpC86C.tmp.exetmp4368.tmp.exetmp2D93.tmp.exetmp4949.tmp.exetmp968E.tmp.exetmp72B5.tmp.exetmp6637.tmp.exetmp6637.tmp.exetmp138E.tmp.exetmp4368.tmp.exetmp6637.tmp.exetmp968E.tmp.exetmp11ED.tmp.exetmpE412.tmp.exetmp4368.tmp.exetmpB336.tmp.exetmpF472.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp968E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC86C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4368.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2D93.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4949.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp968E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp72B5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6637.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6637.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp138E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4368.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6637.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp968E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp11ED.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE412.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4368.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB336.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF472.tmp.exe

Modifies registry class 12 IoCs

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exe32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
452	schtasks.exe
4872	schtasks.exe
5052	schtasks.exe
2784	schtasks.exe
4412	schtasks.exe
4580	schtasks.exe
3876	schtasks.exe
3924	schtasks.exe
4004	schtasks.exe
4596	schtasks.exe
900	schtasks.exe
2704	schtasks.exe
2160	schtasks.exe
2016	schtasks.exe
3848	schtasks.exe
1392	schtasks.exe
4216	schtasks.exe
1616	schtasks.exe
4592	schtasks.exe
1728	schtasks.exe
1656	schtasks.exe
2772	schtasks.exe
4048	schtasks.exe
2908	schtasks.exe
1608	schtasks.exe
1928	schtasks.exe
4268	schtasks.exe
1796	schtasks.exe
5028	schtasks.exe
4532	schtasks.exe
1980	schtasks.exe
1972	schtasks.exe
2736	schtasks.exe
4828	schtasks.exe
2668	schtasks.exe
4092	schtasks.exe
4696	schtasks.exe
2372	schtasks.exe
4080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid	process
224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
2372	powershell.exe
2372	powershell.exe
2352	powershell.exe
2352	powershell.exe
4048	powershell.exe
4048	powershell.exe
1944	powershell.exe
1944	powershell.exe
4976	powershell.exe
4976	powershell.exe
60	powershell.exe
60	powershell.exe
4004	powershell.exe
4004	powershell.exe
2520	powershell.exe
2520	powershell.exe
1508	powershell.exe
1508	powershell.exe
520	powershell.exe
520	powershell.exe
3924	powershell.exe
3924	powershell.exe
1508	powershell.exe
2372	powershell.exe
2372	powershell.exe
60	powershell.exe
2352	powershell.exe
2352	powershell.exe
4048	powershell.exe
4048	powershell.exe
1944	powershell.exe
1944	powershell.exe
4004	powershell.exe
2520	powershell.exe
4976	powershell.exe
4976	powershell.exe
520	powershell.exe
3924	powershell.exe
1144	sppsvc.exe
4244	sppsvc.exe
632	sppsvc.exe
1928	sppsvc.exe
2928	sppsvc.exe
4116	sppsvc.exe
4512	sppsvc.exe
4624	sppsvc.exe
1944	sppsvc.exe
4060	sppsvc.exe
2796	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	1144	sppsvc.exe
Token: SeDebugPrivilege	4244	sppsvc.exe
Token: SeDebugPrivilege	632	sppsvc.exe
Token: SeDebugPrivilege	1928	sppsvc.exe
Token: SeDebugPrivilege	2928	sppsvc.exe
Token: SeDebugPrivilege	4116	sppsvc.exe
Token: SeDebugPrivilege	4512	sppsvc.exe
Token: SeDebugPrivilege	4624	sppsvc.exe
Token: SeDebugPrivilege	1944	sppsvc.exe
Token: SeDebugPrivilege	4060	sppsvc.exe
Token: SeDebugPrivilege	2796	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exetmpB336.tmp.execmd.exesppsvc.exetmpF472.tmp.exeWScript.exesppsvc.exetmp11ED.tmp.exe

description	pid	process	target process
PID 224 wrote to memory of 2712	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	tmpB336.tmp.exe
PID 224 wrote to memory of 2712	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	tmpB336.tmp.exe
PID 224 wrote to memory of 2712	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	tmpB336.tmp.exe
PID 2712 wrote to memory of 2200	2712	tmpB336.tmp.exe	tmpB336.tmp.exe
PID 2712 wrote to memory of 2200	2712	tmpB336.tmp.exe	tmpB336.tmp.exe
PID 2712 wrote to memory of 2200	2712	tmpB336.tmp.exe	tmpB336.tmp.exe
PID 2712 wrote to memory of 2200	2712	tmpB336.tmp.exe	tmpB336.tmp.exe
PID 2712 wrote to memory of 2200	2712	tmpB336.tmp.exe	tmpB336.tmp.exe
PID 2712 wrote to memory of 2200	2712	tmpB336.tmp.exe	tmpB336.tmp.exe
PID 2712 wrote to memory of 2200	2712	tmpB336.tmp.exe	tmpB336.tmp.exe
PID 224 wrote to memory of 3924	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 3924	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 4976	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 4976	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 4048	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 4048	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 60	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 60	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 2372	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 2372	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 520	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 520	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 2352	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 2352	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 4004	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 4004	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 1508	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 1508	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 2520	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 2520	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 1944	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 1944	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	powershell.exe
PID 224 wrote to memory of 1608	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	cmd.exe
PID 224 wrote to memory of 1608	224	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe	cmd.exe
PID 1608 wrote to memory of 4860	1608	cmd.exe	w32tm.exe
PID 1608 wrote to memory of 4860	1608	cmd.exe	w32tm.exe
PID 1608 wrote to memory of 1144	1608	cmd.exe	sppsvc.exe
PID 1608 wrote to memory of 1144	1608	cmd.exe	sppsvc.exe
PID 1144 wrote to memory of 1588	1144	sppsvc.exe	WScript.exe
PID 1144 wrote to memory of 1588	1144	sppsvc.exe	WScript.exe
PID 1144 wrote to memory of 592	1144	sppsvc.exe	WScript.exe
PID 1144 wrote to memory of 592	1144	sppsvc.exe	WScript.exe
PID 1144 wrote to memory of 2740	1144	sppsvc.exe	tmpF472.tmp.exe
PID 1144 wrote to memory of 2740	1144	sppsvc.exe	tmpF472.tmp.exe
PID 1144 wrote to memory of 2740	1144	sppsvc.exe	tmpF472.tmp.exe
PID 2740 wrote to memory of 4116	2740	tmpF472.tmp.exe	tmpF472.tmp.exe
PID 2740 wrote to memory of 4116	2740	tmpF472.tmp.exe	tmpF472.tmp.exe
PID 2740 wrote to memory of 4116	2740	tmpF472.tmp.exe	tmpF472.tmp.exe
PID 2740 wrote to memory of 4116	2740	tmpF472.tmp.exe	tmpF472.tmp.exe
PID 2740 wrote to memory of 4116	2740	tmpF472.tmp.exe	tmpF472.tmp.exe
PID 2740 wrote to memory of 4116	2740	tmpF472.tmp.exe	tmpF472.tmp.exe
PID 2740 wrote to memory of 4116	2740	tmpF472.tmp.exe	tmpF472.tmp.exe
PID 1588 wrote to memory of 4244	1588	WScript.exe	sppsvc.exe
PID 1588 wrote to memory of 4244	1588	WScript.exe	sppsvc.exe
PID 4244 wrote to memory of 4012	4244	sppsvc.exe	WScript.exe
PID 4244 wrote to memory of 4012	4244	sppsvc.exe	WScript.exe
PID 4244 wrote to memory of 212	4244	sppsvc.exe	WScript.exe
PID 4244 wrote to memory of 212	4244	sppsvc.exe	WScript.exe
PID 4244 wrote to memory of 1548	4244	sppsvc.exe	tmp11ED.tmp.exe
PID 4244 wrote to memory of 1548	4244	sppsvc.exe	tmp11ED.tmp.exe
PID 4244 wrote to memory of 1548	4244	sppsvc.exe	tmp11ED.tmp.exe
PID 1548 wrote to memory of 2312	1548	tmp11ED.tmp.exe	tmp11ED.tmp.exe
PID 1548 wrote to memory of 2312	1548	tmp11ED.tmp.exe	tmp11ED.tmp.exe
PID 1548 wrote to memory of 2312	1548	tmp11ED.tmp.exe	tmp11ED.tmp.exe

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

sppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe
"C:\Users\Admin\AppData\Local\Temp\32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:224
- C:\Users\Admin\AppData\Local\Temp\tmpB336.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB336.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\tmpB336.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpB336.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\igBqxW9ThC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4860
- - C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
    "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1144
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1e1657e-8fd1-49cf-999c-08d7696c8c14.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4244
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d96e0df-35c2-4f87-8a5f-0e2218b1bb67.vbs"
        6⤵
        
        PID:4012
        
        C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf4f29d6-c7f8-486f-9cd3-3d54e1025433.vbs"
        8⤵
        
        PID:4944
        
        C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74c090f4-6829-4007-aaf8-f90f8473f7eb.vbs"
        10⤵
        
        PID:3084
        
        C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\922dc67b-fd44-4ceb-b533-3c92358f843b.vbs"
        12⤵
        
        PID:2788
        
        C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00c90847-935f-4446-894c-c0453c0c7315.vbs"
        14⤵
        
        PID:3332
        
        C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8d1dcab-5ee2-4f9c-9f35-0b5c4c3e5d93.vbs"
        16⤵
        
        PID:4312
        
        C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e87da6e-785a-4276-87d3-ad014d7a5f22.vbs"
        18⤵
        
        PID:832
        
        C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bfe2c69-f8f4-4917-8843-aafad13137cb.vbs"
        20⤵
        
        PID:1132
        
        C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b17fdaa-6006-49ea-972e-86c73975e9f9.vbs"
        22⤵
        
        PID:1612
        
        C:\Program Files (x86)\Windows Sidebar\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Sidebar\sppsvc.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f39cf8aa-e60b-4b50-a891-ed25d2d8eded.vbs"
        24⤵
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6c400d7-b00a-46cf-abf7-f2ce4810fa7f.vbs"
        24⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp72B5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp72B5.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp72B5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp72B5.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b57f5ed3-88bd-4b26-9430-d976b0c21c71.vbs"
        22⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp4368.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4368.tmp.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp4368.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4368.tmp.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp4368.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4368.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmp4368.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4368.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dd568ca-efde-4fbc-953f-ba91a258a4dc.vbs"
        20⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp138E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp138E.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp138E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp138E.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94648660-e86e-4b87-be1f-aff482977940.vbs"
        18⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE412.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19f2b5a2-d2a5-4acf-bca8-e0db79b0ec3c.vbs"
        16⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmpC86C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC86C.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmpC86C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC86C.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47fe90fa-1ba0-4a1f-88df-791a1319891f.vbs"
        14⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp968E.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f352f0d-9279-44b7-a522-8f722cb0e270.vbs"
        12⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp6637.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6637.tmp.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp6637.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6637.tmp.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp6637.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6637.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp6637.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6637.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db5eda2a-9d1e-46d0-ab64-bbd32e582107.vbs"
        10⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp4949.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4949.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\tmp4949.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4949.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1a096ad-2cc4-4e3d-8330-8130b7f5fb1f.vbs"
        8⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp2D93.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2D93.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp2D93.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2D93.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:3352
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82221224-6b4a-4e65-9a02-6bcfe948904a.vbs"
        6⤵
        
        PID:212
      - C:\Users\Admin\AppData\Local\Temp\tmp11ED.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp11ED.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp11ED.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp11ED.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:2312
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eeea2a0-0f7c-473b-b5ce-88453c631653.vbs"
      4⤵
      PID:592
  - - C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF472.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Sidebar\sppsvc.exe

Filesize
4.9MB

MD5
fbf1cf5411670beb5b09157a86dc2dfe

SHA1
ba2b88c1f02575c0270fe00c947f224f5d54368b

SHA256
d126247583c2580b27d598ed14f3338d3421703c4b59f7357c342a31d7241ff2

SHA512
978223bfae90fe389567b587f6227c902a4dce29bdc2cb7395a99c148475568fa9dcaa3b7c8918c130ded52b4946f7f405652eeee6f197c3a77062a3b835e675

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\dllhost.exe

Filesize
4.9MB

MD5
3eee3a593a01fdf71ef55071cf12f6b0

SHA1
ace1d846345f1ea6f9bc88602b5128586e9874b0

SHA256
2dacdce807a267cb6fdd3d0910b756808841afeea6835d9fe16ceebf1f8f7058

SHA512
bc01c718be6f2058cd2d2f39a5109daea09d051e5c2d971fa5bf0f4b9bf4ac3ed0ff1a6d2bf72d44499044557f27a60f6c599bf1b4e9432179bc4b08dcf9076e

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
4.9MB

MD5
c7de19da94b452dd1fe7ce4c67f10730

SHA1
e8232023150e75b3a88b97b52c64e4a813f27d41

SHA256
32dd4bacc753285522d3d1fafdc88c2366c3282f5b3d194ea1e601ac58aa7757

SHA512
9c86090ed26c449c78a55a95dbd7fb8443dd11a2e89d5b1140e3b44549a2ae09e9b474f6b65d065d046d2d3c87d822ddfebc44005cbc81b405b4969f0866d9bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c90847-935f-4446-894c-c0453c0c7315.vbs

Filesize
725B

MD5
4ceb4c985af83654aae0afd732dfe68c

SHA1
abaecca7d5eadbcab24de6c962f4089fae699781

SHA256
cb205dc85b5d1601c6c49beacc9fbf7cd3beda5c5cff929621cf86a79b00e5e7

SHA512
698488ad7f201149425f3a906c7a71d54f04876fa979cc8c3ad8eb8738bcddc74504958bd6e581c1906dbbff62b42d94090cff70acdd3a6ac55d07a1e64e33a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d96e0df-35c2-4f87-8a5f-0e2218b1bb67.vbs

Filesize
725B

MD5
c399ad9c7733b5cb0154b0e46947f76c

SHA1
66fb9d20a775f3b1b7aadfda3047b189d8b355ca

SHA256
d12fdf09f52bb8e616245497052cf0d4b99245585f02caef5edbc8d2a851baba

SHA512
c3362eb5ff76a6369ca99b5e895a0bdeb7d45d6b869dac7a25d6fb13ac7c9c0bb2ea54b40f43bf85104fa2011f45fd3d874ebe1967400984aa42223f9ed600aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\4eeea2a0-0f7c-473b-b5ce-88453c631653.vbs

Filesize
501B

MD5
4427e92b034a6d3f4969eb141cb723bf

SHA1
d80fe179aa4b42b0965c0428b14c1127dbab45b7

SHA256
b27815588544f9fd99a79796f322de3ea493672e401ff1962fe802eab9e8e2aa

SHA512
c428c89a34e979a07b5eaf258fb2278f0f2b896308331fc145d8d5a024bb3cc33f7b80f1d1b7673035745c4939d941186c47ddec2d5aaa0597897d3abe3865bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\74c090f4-6829-4007-aaf8-f90f8473f7eb.vbs

Filesize
725B

MD5
82e8f7876946ba55d9a06a658fa858ca

SHA1
5b1fb6ed72cc85b026119f82a0fe17c58ee991f9

SHA256
dfaa9c7eb02be70793fad84b44e857bbd6963d822d4e818d6c3566409364aa4d

SHA512
5b911304d212e7658baa47af328b73dd36dfc02abdc98257a0dc9fdf208f94006cb2c197e449f2af85ba2bc4b2886cbe63e8095a9287f600c9d5abe8a3e08efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\922dc67b-fd44-4ceb-b533-3c92358f843b.vbs

Filesize
725B

MD5
f46a832d194f343043e716713a51a777

SHA1
2e643a4c96075f09fce7f9949f0f41969c7464ad

SHA256
9dbe3ab309b3cd598afa9254825b5a01b31805e83ac9057f07abce0796d8cf5c

SHA512
f9c8373a7195531d4b15f991ffb97f8bcd976dcafc238fbedcf91becbdb1c0cf5ef9f85bbfb69d2dedce9593dbff44ac9cbfe0a9a8a521b409f85d6da98b978b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rdjhnqcj.4el.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1e1657e-8fd1-49cf-999c-08d7696c8c14.vbs

Filesize
725B

MD5
c13e491f3007086251d6d50c613028b1

SHA1
16ad15623067b927f6dfe6fcf0d993497224f25a

SHA256
93edb498619ad44804ad983a24242d71e7e5d9f651a164f288c0a0c51120d703

SHA512
0326d1e41c270cb36a23b8b7532d4567720ea0c813bc96dfa10cadb67f4a746bc224da6359bf882c5001a485c6b846196f89bf0015890647ba346925d28d03ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf4f29d6-c7f8-486f-9cd3-3d54e1025433.vbs

Filesize
724B

MD5
3e2157d743eb9547571227e12a40090a

SHA1
7f09d9f85900db5962cb1f3dd45911339175b057

SHA256
fe976f12e44685c1027ba84d489ffa4d2b016d8d48e8facc537286a11ce7dbed

SHA512
f1def24aca7da355df57bd0a416788aa200e5f33010a91462bc00d5a193b1066d04b8a1be6f546fb510f85541f17ce1de00c2dd10252f78adb8e68e91c610af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\igBqxW9ThC.bat

Filesize
214B

MD5
1d218cd69233e06943c7936110595cfc

SHA1
07fdbce25ebd5670217223bca2ea4870ed04752e

SHA256
25104afa06548a06a5605c14e9020fd3893f4bfb059e7df53d1780ec814134fe

SHA512
b09ea442790c7787181d43a5529cabf18cf2533e621fb8f73a777b2ce043a92498fab39fdb0e645fdea06581004ef9c1c48eda0f2876a799d9417363a6504927

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB336.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/60-282-0x00000187651E0000-0x000001876532E000-memory.dmp

Filesize
1.3MB

Download
memory/224-143-0x00007FFA3CB70000-0x00007FFA3D631000-memory.dmp

Filesize
10.8MB

Download
memory/224-2-0x000000001BAC0000-0x000000001BBEE000-memory.dmp

Filesize
1.2MB

Download
memory/224-136-0x00007FFA3CB73000-0x00007FFA3CB75000-memory.dmp

Filesize
8KB

Download
memory/224-7-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/224-150-0x00007FFA3CB70000-0x00007FFA3D631000-memory.dmp

Filesize
10.8MB

Download
memory/224-17-0x000000001C250000-0x000000001C258000-memory.dmp

Filesize
32KB

Download
memory/224-0-0x00007FFA3CB73000-0x00007FFA3CB75000-memory.dmp

Filesize
8KB

Download
memory/224-18-0x000000001C260000-0x000000001C26C000-memory.dmp

Filesize
48KB

Download
memory/224-13-0x000000001B990000-0x000000001B99A000-memory.dmp

Filesize
40KB

Download
memory/224-12-0x000000001C800000-0x000000001CD28000-memory.dmp

Filesize
5.2MB

Download
memory/224-6-0x0000000001430000-0x0000000001438000-memory.dmp

Filesize
32KB

Download
memory/224-5-0x000000001C280000-0x000000001C2D0000-memory.dmp

Filesize
320KB

Download
memory/224-4-0x0000000001410000-0x000000000142C000-memory.dmp

Filesize
112KB

Download
memory/224-11-0x000000001B980000-0x000000001B992000-memory.dmp

Filesize
72KB

Download
memory/224-1-0x0000000000810000-0x0000000000D04000-memory.dmp

Filesize
5.0MB

Download
memory/224-14-0x000000001B9A0000-0x000000001B9AE000-memory.dmp

Filesize
56KB

Download
memory/224-3-0x00007FFA3CB70000-0x00007FFA3D631000-memory.dmp

Filesize
10.8MB

Download
memory/224-16-0x000000001C240000-0x000000001C248000-memory.dmp

Filesize
32KB

Download
memory/224-10-0x000000001B960000-0x000000001B96A000-memory.dmp

Filesize
40KB

Download
memory/224-15-0x000000001C230000-0x000000001C23E000-memory.dmp

Filesize
56KB

Download
memory/224-8-0x0000000001660000-0x0000000001676000-memory.dmp

Filesize
88KB

Download
memory/224-9-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/520-276-0x0000027526F90000-0x00000275270DE000-memory.dmp

Filesize
1.3MB

Download
memory/1144-289-0x0000000000460000-0x0000000000954000-memory.dmp

Filesize
5.0MB

Download
memory/1508-261-0x0000020F285D0000-0x0000020F2871E000-memory.dmp

Filesize
1.3MB

Download
memory/1928-361-0x000000001C080000-0x000000001C092000-memory.dmp

Filesize
72KB

Download
memory/1944-264-0x000001F4BCCF0000-0x000001F4BCE3E000-memory.dmp

Filesize
1.3MB

Download
memory/2200-71-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2352-267-0x000001A0FF210000-0x000001A0FF35E000-memory.dmp

Filesize
1.3MB

Download
memory/2372-156-0x000002EAD55D0000-0x000002EAD55F2000-memory.dmp

Filesize
136KB

Download
memory/2372-270-0x000002EAD5700000-0x000002EAD584E000-memory.dmp

Filesize
1.3MB

Download
memory/2520-273-0x0000024FEA530000-0x0000024FEA67E000-memory.dmp

Filesize
1.3MB

Download
memory/3924-279-0x000002346B3B0000-0x000002346B4FE000-memory.dmp

Filesize
1.3MB

Download
memory/4004-259-0x0000028C7ACB0000-0x0000028C7ADFE000-memory.dmp

Filesize
1.3MB

Download
memory/4048-260-0x00000292FE0D0000-0x00000292FE21E000-memory.dmp

Filesize
1.3MB

Download
memory/4244-314-0x000000001BC50000-0x000000001BC62000-memory.dmp

Filesize
72KB

Download
memory/4512-443-0x000000001B560000-0x000000001B572000-memory.dmp

Filesize
72KB

Download
memory/4976-285-0x0000017A78280000-0x0000017A783CE000-memory.dmp

Filesize
1.3MB

Download