colibri | bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82

Analysis

max time kernel
118s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Size

4.9MB
MD5

25182c721a9a0f64e4ed7c31e1c8c6bc
SHA1

50c80cd3ed583b2fb9d6c47d4e2318d8e1d5c584
SHA256

bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82
SHA512

57f16d2455ea10205deb379ee0f8892037cd7239f05e504794b22a105f9a6bd997a1618626ea2965c8405548d28f8173a5f4ed606b2760708a6bcd0348d88565
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8/:n

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3004	schtasks.exe	86

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3700-2-0x000000001BEE0000-0x000000001C00E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2344	powershell.exe
1188	powershell.exe
3076	powershell.exe
3156	powershell.exe
392	powershell.exe
3676	powershell.exe
2324	powershell.exe
4572	powershell.exe
4676	powershell.exe
452	powershell.exe
2564	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 40 IoCs

pid	Process
1484	tmpBB91.tmp.exe
3608	tmpBB91.tmp.exe
752	tmpBB91.tmp.exe
2160	System.exe
1284	tmpD8CC.tmp.exe
3872	tmpD8CC.tmp.exe
1072	System.exe
3260	tmpFCBF.tmp.exe
3544	tmpFCBF.tmp.exe
2788	System.exe
3700	tmp19FB.tmp.exe
2164	tmp19FB.tmp.exe
1416	System.exe
224	tmp3747.tmp.exe
868	tmp3747.tmp.exe
2712	System.exe
440	tmp68A8.tmp.exe
3992	tmp68A8.tmp.exe
1676	System.exe
4868	tmp9B31.tmp.exe
868	tmp9B31.tmp.exe
1208	System.exe
4512	tmpCEA5.tmp.exe
3728	tmpCEA5.tmp.exe
632	System.exe
2832	System.exe
1416	tmp20AD.tmp.exe
3736	tmp20AD.tmp.exe
1444	tmp20AD.tmp.exe
4008	tmp20AD.tmp.exe
1504	System.exe
2092	tmp3DCA.tmp.exe
4860	tmp3DCA.tmp.exe
4680	System.exe
2008	tmp5B84.tmp.exe
4244	tmp5B84.tmp.exe
3732	tmp5B84.tmp.exe
396	System.exe
4100	tmp7824.tmp.exe
3564	tmp7824.tmp.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 3608 set thread context of 752	3608	tmpBB91.tmp.exe	108
PID 1284 set thread context of 3872	1284	tmpD8CC.tmp.exe	138
PID 3260 set thread context of 3544	3260	tmpFCBF.tmp.exe	159
PID 3700 set thread context of 2164	3700	tmp19FB.tmp.exe	169
PID 224 set thread context of 868	224	tmp3747.tmp.exe	180
PID 440 set thread context of 3992	440	tmp68A8.tmp.exe	190
PID 4868 set thread context of 868	4868	tmp9B31.tmp.exe	200
PID 4512 set thread context of 3728	4512	tmpCEA5.tmp.exe	209
PID 1444 set thread context of 4008	1444	tmp20AD.tmp.exe	227
PID 2092 set thread context of 4860	2092	tmp3DCA.tmp.exe	236
PID 4244 set thread context of 3732	4244	tmp5B84.tmp.exe	246
PID 4100 set thread context of 3564	4100	tmp7824.tmp.exe	254

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\host\fxr\6.0.27\sihost.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC25C.tmp	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File created	C:\Program Files\Windows Defender\f3b6ecef712a24	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\dllhost.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File opened for modification	C:\Program Files\Windows Defender\RCXBC00.tmp	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\6.0.27\RCXBE14.tmp	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File created	C:\Program Files\Windows Defender\spoolsv.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\sihost.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\66fc9ff0ee96c2	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File opened for modification	C:\Program Files\Windows Defender\spoolsv.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Containers\RuntimeBroker.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File opened for modification	C:\Windows\Containers\RuntimeBroker.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File created	C:\Windows\Containers\9e8d7a4ca61bd9	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File created	C:\Windows\Speech\upfc.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File created	C:\Windows\Speech\ea1d8f6d871115	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File opened for modification	C:\Windows\Containers\RCXB9EB.tmp	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File opened for modification	C:\Windows\Speech\RCXC038.tmp	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
File opened for modification	C:\Windows\Speech\upfc.exe	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp68A8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9B31.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp20AD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7824.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBB91.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp19FB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD8CC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5B84.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3747.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFCBF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCEA5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp20AD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp20AD.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3DCA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5B84.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBB91.tmp.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3112	schtasks.exe
4324	schtasks.exe
1060	schtasks.exe
3572	schtasks.exe
3696	schtasks.exe
3976	schtasks.exe
3648	schtasks.exe
968	schtasks.exe
724	schtasks.exe
4492	schtasks.exe
4820	schtasks.exe
4816	schtasks.exe
4244	schtasks.exe
4360	schtasks.exe
1656	schtasks.exe
3736	schtasks.exe
4788	schtasks.exe
5048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
1188	powershell.exe
1188	powershell.exe
452	powershell.exe
452	powershell.exe
392	powershell.exe
392	powershell.exe
3156	powershell.exe
3156	powershell.exe
2324	powershell.exe
2324	powershell.exe
3676	powershell.exe
3676	powershell.exe
4676	powershell.exe
4676	powershell.exe
2564	powershell.exe
2564	powershell.exe
2344	powershell.exe
2344	powershell.exe
3076	powershell.exe
3076	powershell.exe
3076	powershell.exe
4572	powershell.exe
4572	powershell.exe
1188	powershell.exe
392	powershell.exe
452	powershell.exe
452	powershell.exe
3676	powershell.exe
2324	powershell.exe
3156	powershell.exe
2344	powershell.exe
4676	powershell.exe
2564	powershell.exe
4572	powershell.exe
2160	System.exe
2160	System.exe
1072	System.exe
2788	System.exe
1416	System.exe
2712	System.exe
1676	System.exe
1208	System.exe
632	System.exe
2832	System.exe
1504	System.exe
4680	System.exe
396	System.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	2160	System.exe
Token: SeDebugPrivilege	1072	System.exe
Token: SeDebugPrivilege	2788	System.exe
Token: SeDebugPrivilege	1416	System.exe
Token: SeDebugPrivilege	2712	System.exe
Token: SeDebugPrivilege	1676	System.exe
Token: SeDebugPrivilege	1208	System.exe
Token: SeDebugPrivilege	632	System.exe
Token: SeDebugPrivilege	2832	System.exe
Token: SeDebugPrivilege	1504	System.exe
Token: SeDebugPrivilege	4680	System.exe
Token: SeDebugPrivilege	396	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 1484	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	105
PID 3700 wrote to memory of 1484	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	105
PID 3700 wrote to memory of 1484	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	105
PID 1484 wrote to memory of 3608	1484	tmpBB91.tmp.exe	107
PID 1484 wrote to memory of 3608	1484	tmpBB91.tmp.exe	107
PID 1484 wrote to memory of 3608	1484	tmpBB91.tmp.exe	107
PID 3608 wrote to memory of 752	3608	tmpBB91.tmp.exe	108
PID 3608 wrote to memory of 752	3608	tmpBB91.tmp.exe	108
PID 3608 wrote to memory of 752	3608	tmpBB91.tmp.exe	108
PID 3608 wrote to memory of 752	3608	tmpBB91.tmp.exe	108
PID 3608 wrote to memory of 752	3608	tmpBB91.tmp.exe	108
PID 3608 wrote to memory of 752	3608	tmpBB91.tmp.exe	108
PID 3608 wrote to memory of 752	3608	tmpBB91.tmp.exe	108
PID 3700 wrote to memory of 2344	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	110
PID 3700 wrote to memory of 2344	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	110
PID 3700 wrote to memory of 2324	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	111
PID 3700 wrote to memory of 2324	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	111
PID 3700 wrote to memory of 4572	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	112
PID 3700 wrote to memory of 4572	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	112
PID 3700 wrote to memory of 4676	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	113
PID 3700 wrote to memory of 4676	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	113
PID 3700 wrote to memory of 452	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	114
PID 3700 wrote to memory of 452	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	114
PID 3700 wrote to memory of 1188	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	115
PID 3700 wrote to memory of 1188	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	115
PID 3700 wrote to memory of 3076	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	116
PID 3700 wrote to memory of 3076	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	116
PID 3700 wrote to memory of 3156	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	117
PID 3700 wrote to memory of 3156	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	117
PID 3700 wrote to memory of 3676	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	118
PID 3700 wrote to memory of 3676	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	118
PID 3700 wrote to memory of 392	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	119
PID 3700 wrote to memory of 392	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	119
PID 3700 wrote to memory of 2564	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	120
PID 3700 wrote to memory of 2564	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	120
PID 3700 wrote to memory of 2160	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	132
PID 3700 wrote to memory of 2160	3700	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe	132
PID 2160 wrote to memory of 1284	2160	System.exe	135
PID 2160 wrote to memory of 1284	2160	System.exe	135
PID 2160 wrote to memory of 1284	2160	System.exe	135
PID 2160 wrote to memory of 2748	2160	System.exe	137
PID 2160 wrote to memory of 2748	2160	System.exe	137
PID 1284 wrote to memory of 3872	1284	tmpD8CC.tmp.exe	138
PID 1284 wrote to memory of 3872	1284	tmpD8CC.tmp.exe	138
PID 1284 wrote to memory of 3872	1284	tmpD8CC.tmp.exe	138
PID 1284 wrote to memory of 3872	1284	tmpD8CC.tmp.exe	138
PID 1284 wrote to memory of 3872	1284	tmpD8CC.tmp.exe	138
PID 1284 wrote to memory of 3872	1284	tmpD8CC.tmp.exe	138
PID 1284 wrote to memory of 3872	1284	tmpD8CC.tmp.exe	138
PID 2160 wrote to memory of 3172	2160	System.exe	139
PID 2160 wrote to memory of 3172	2160	System.exe	139
PID 2748 wrote to memory of 1072	2748	WScript.exe	150
PID 2748 wrote to memory of 1072	2748	WScript.exe	150
PID 1072 wrote to memory of 4440	1072	System.exe	152
PID 1072 wrote to memory of 4440	1072	System.exe	152
PID 1072 wrote to memory of 3244	1072	System.exe	154
PID 1072 wrote to memory of 3244	1072	System.exe	154
PID 1072 wrote to memory of 3260	1072	System.exe	157
PID 1072 wrote to memory of 3260	1072	System.exe	157
PID 1072 wrote to memory of 3260	1072	System.exe	157
PID 3260 wrote to memory of 3544	3260	tmpFCBF.tmp.exe	159
PID 3260 wrote to memory of 3544	3260	tmpFCBF.tmp.exe	159
PID 3260 wrote to memory of 3544	3260	tmpFCBF.tmp.exe	159
PID 3260 wrote to memory of 3544	3260	tmpFCBF.tmp.exe	159

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe
"C:\Users\Admin\AppData\Local\Temp\bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3700
- C:\Users\Admin\AppData\Local\Temp\tmpBB91.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBB91.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\tmpBB91.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpBB91.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\tmpBB91.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpBB91.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
  "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmp.exe"
      4⤵
      Executes dropped EXE
      PID:3872
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ca4d933-3f12-434b-96be-531bbca6718a.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1072
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ccda016-f042-4b2f-b672-d79d331f6b88.vbs"
        5⤵
        
        PID:4440
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2bfef24-bd37-4306-86b3-d3a73e8650ee.vbs"
        7⤵
        
        PID:3288
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61a5c539-0931-413b-af4a-cbc049127292.vbs"
        9⤵
        
        PID:1360
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9162fbb-16f9-465f-a6b5-4c8b073adc2b.vbs"
        11⤵
        
        PID:3872
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5f420f4-d645-4f2c-a2aa-d09800fcc7e8.vbs"
        13⤵
        
        PID:1112
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38b77b05-99d4-4e4f-82f8-785cd9351cd8.vbs"
        15⤵
        
        PID:392
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3c8e756-7fc6-4555-be10-0b09f98b9499.vbs"
        17⤵
        
        PID:3128
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa418955-4c13-4c30-9723-55b2d5ff5cf2.vbs"
        19⤵
        
        PID:3912
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4c3a469-55b9-4605-a8d5-86e7caaea7f9.vbs"
        21⤵
        
        PID:1560
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c488208-2fa0-4cb3-9c5f-d25621be86af.vbs"
        23⤵
        
        PID:1092
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe"
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8774881b-07d0-4f9c-9529-cba0f5f3ed33.vbs"
        25⤵
        
        PID:4908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0266e27f-978c-48ff-8788-edc6b1f169a5.vbs"
        25⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7824.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7824.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\tmp7824.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7824.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8091562c-0ec7-443e-93ec-41e501feb800.vbs"
        23⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\tmp5B84.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5B84.tmp.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp5B84.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5B84.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp5B84.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5B84.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d1bb963-e1e9-4e09-990b-d0aa2f49fa91.vbs"
        21⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp3DCA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3DCA.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp3DCA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3DCA.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea8873f7-bcb6-4af9-a7f6-b35d64c63847.vbs"
        19⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp20AD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp20AD.tmp.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp20AD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp20AD.tmp.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp20AD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp20AD.tmp.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp20AD.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp20AD.tmp.exe"
        22⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a0bafe6-d0f7-4b75-a18c-c1054d47b594.vbs"
        17⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40b77ff3-2f12-4417-8306-c24a0750feeb.vbs"
        15⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmpCEA5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCEA5.tmp.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmpCEA5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCEA5.tmp.exe"
        16⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\480025c2-9c8c-4c7c-925d-f921cdb78733.vbs"
        13⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmp9B31.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9B31.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp9B31.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9B31.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21f70f69-6ae6-48e3-981d-a42a1441f192.vbs"
        11⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp68A8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp68A8.tmp.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\tmp68A8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp68A8.tmp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c22d1a0-2812-4548-afa0-c6d6d3f6a687.vbs"
        9⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp3747.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3747.tmp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp3747.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3747.tmp.exe"
        10⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0e70891-cc84-414c-a4c1-f22766d4f591.vbs"
        7⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp19FB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp19FB.tmp.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp19FB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp19FB.tmp.exe"
        8⤵
        Executes dropped EXE
        
        PID:2164
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdf3b507-584d-41ca-ac7c-cdc8f79878be.vbs"
        5⤵
        
        PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\tmpFCBF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFCBF.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3260
      - C:\Users\Admin\AppData\Local\Temp\tmpFCBF.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpFCBF.tmp.exe"
        6⤵
        Executes dropped EXE
        
        PID:3544
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f5b80df-4a53-49b0-8621-53432678ddaf.vbs"
    3⤵
    PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Containers\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Containers\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Containers\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\host\fxr\6.0.27\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\6.0.27\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\host\fxr\6.0.27\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\Speech\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe

Filesize
4.9MB

MD5
25182c721a9a0f64e4ed7c31e1c8c6bc

SHA1
50c80cd3ed583b2fb9d6c47d4e2318d8e1d5c584

SHA256
bf937d79c4f60f8c681296528af7bc7b04e4507d33f0802eed126a9f4df95e82

SHA512
57f16d2455ea10205deb379ee0f8892037cd7239f05e504794b22a105f9a6bd997a1618626ea2965c8405548d28f8173a5f4ed606b2760708a6bcd0348d88565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f5b80df-4a53-49b0-8621-53432678ddaf.vbs

Filesize
518B

MD5
33478a19ac166af27cc160811177606f

SHA1
11259f5f24647fd37b5efc056f8dc5ea227066fd

SHA256
7731d7b63200ff69c643c4838d82aa8d1bbe230df96bea1af160605a2b1f64b5

SHA512
ce4fbc1525cdfe421f543d30c0cd2100c1c49b30a094be07e63a04909f9ce01e1511921661629374acf348214a707d41d8c694b81ee7d7948185f613cedd43da

Download Submit
C:\Users\Admin\AppData\Local\Temp\38b77b05-99d4-4e4f-82f8-785cd9351cd8.vbs

Filesize
742B

MD5
64e5f424e96a2283becdc923fea3d8dd

SHA1
24fc4ad6a6d716d4dab6e49e1cb2fff72e7ae25e

SHA256
41a83fe93ba7678acceeb2fa262891327dedf70c232fe70b84a9c0b78b083d27

SHA512
042ccc4e6d5542b2ad4da061081248f3da99d7d91ed1fa157ddfd30a91f48a80d88fc764ea3d9eb6b25efce1b606f633a0bb9ef4533a9758346e77500f726a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\61a5c539-0931-413b-af4a-cbc049127292.vbs

Filesize
742B

MD5
e264b69c717b711790c84d629f526936

SHA1
270355a3ef7278ad8551a5c7282a3bbebb89aa8e

SHA256
a9d72ebc487546d6a5e06284c64a9fc8cd6a8e43a64714e8743688ab5e140bc1

SHA512
9c7a91ad058a67eb586e70e58e5806ed89e96999d9219e78afc035a51ca5e80694398adbce9aa492ea944dcfc25cc3981c18274060b13a6528809bc5e53832bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ca4d933-3f12-434b-96be-531bbca6718a.vbs

Filesize
742B

MD5
d7675ec222b8d603cb01c4ec3857d552

SHA1
38d812f2ea1f922083e639d5903c7c46186c2bae

SHA256
b106da46bffada7e358b10ec6695d954f882f9889c9e78f1699f01632b63e57c

SHA512
6424975efa5bfb9213889a63f485193fefd6f70f763be9e023c422229ba9a1fe07f8fb93d0caed72ad27f4a58d9c5583ca12b295e6cff1d09d380b699030f439

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ccda016-f042-4b2f-b672-d79d331f6b88.vbs

Filesize
742B

MD5
9f984ba51467897ef9107bc18be02f91

SHA1
2117da09d83c660f6386d3e6e825887ec2c2e1a9

SHA256
425e5a1692bb191f75ef5275198d379e8caafcf5949b9368c1090fc05536f484

SHA512
5db324792184cdf0533de9e3691a743a758a5637f7b9def36d8bb38d20184051d7bc337637be5900b835cd99da47dd5148b60f9668844269812060379c17101b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dedogta3.ada.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2bfef24-bd37-4306-86b3-d3a73e8650ee.vbs

Filesize
742B

MD5
3ad8fbba24b462b6b74302ecb6ecdb9f

SHA1
a4ce6eee905ecda209205f2291989813e03ae65e

SHA256
b5ac1ef808c0e35486933ea2d60d382d92785dba08100d342ff6509e210a4dc5

SHA512
f0e7f701de6be196e5b82f9d55f3bb8b686acd1c78c83a67d65239b9b11eba8adc9b651f4cf76e2b6eff9504c3a287464216c40a87b1747393ca6bfbe0c95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5f420f4-d645-4f2c-a2aa-d09800fcc7e8.vbs

Filesize
742B

MD5
505d90c893260421063e8b9b7d6c6b3d

SHA1
aa48fb7414065a70ea75c78a8d937a344de06341

SHA256
8988f667da8815f1ca84a991fd1ba55e1bbdbfa10688158ff0c5c7918e9520d4

SHA512
99f808ce7fd839e866eb8d51a7f2f58ed5184ea6ce24a691bd483de39682b88a28802ab14d92405f5ca5ef24ecdbc1691a5eb2bf625fda2c2d614402a96646cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9162fbb-16f9-465f-a6b5-4c8b073adc2b.vbs

Filesize
742B

MD5
8f66fabe92df3b1b576ac9ff4df267e5

SHA1
1945d6a78f78acfdb5f395a8b7ff4487de8040cd

SHA256
3123c744f302461419279677ce1ef891af4bed7cbb77311e7f118de5e3972d26

SHA512
4bec92717dfa9848a2ee76542410178de3cfb0024c61641284654f87aea35e007ec6eccd69c0d595ead82d2e1d0dc506a4ea76b1e1123fe9d733793547dd0d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB91.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/452-143-0x0000020ACDFF0000-0x0000020ACE012000-memory.dmp

Filesize
136KB

Download
memory/752-60-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1072-320-0x000000001CF30000-0x000000001D032000-memory.dmp

Filesize
1.0MB

Download
memory/2160-250-0x000000001BE80000-0x000000001BE92000-memory.dmp

Filesize
72KB

Download
memory/2712-369-0x000000001C330000-0x000000001C342000-memory.dmp

Filesize
72KB

Download
memory/2788-339-0x000000001C3E0000-0x000000001C4E2000-memory.dmp

Filesize
1.0MB

Download
memory/3700-2-0x000000001BEE0000-0x000000001C00E000-memory.dmp

Filesize
1.2MB

Download
memory/3700-9-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/3700-17-0x000000001C090000-0x000000001C098000-memory.dmp

Filesize
32KB

Download
memory/3700-14-0x000000001C060000-0x000000001C06E000-memory.dmp

Filesize
56KB

Download
memory/3700-15-0x000000001C070000-0x000000001C07E000-memory.dmp

Filesize
56KB

Download
memory/3700-12-0x000000001CC00000-0x000000001D128000-memory.dmp

Filesize
5.2MB

Download
memory/3700-1-0x0000000000C10000-0x0000000001104000-memory.dmp

Filesize
5.0MB

Download
memory/3700-0-0x00007FFC30343000-0x00007FFC30345000-memory.dmp

Filesize
8KB

Download
memory/3700-6-0x0000000001A00000-0x0000000001A08000-memory.dmp

Filesize
32KB

Download
memory/3700-249-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/3700-8-0x00000000033A0000-0x00000000033B6000-memory.dmp

Filesize
88KB

Download
memory/3700-7-0x0000000001A80000-0x0000000001A90000-memory.dmp

Filesize
64KB

Download
memory/3700-18-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

Filesize
48KB

Download
memory/3700-5-0x000000001C010000-0x000000001C060000-memory.dmp

Filesize
320KB

Download
memory/3700-13-0x00000000033F0000-0x00000000033FA000-memory.dmp

Filesize
40KB

Download
memory/3700-4-0x0000000003380000-0x000000000339C000-memory.dmp

Filesize
112KB

Download
memory/3700-16-0x000000001C080000-0x000000001C088000-memory.dmp

Filesize
32KB

Download
memory/3700-10-0x00000000033D0000-0x00000000033DA000-memory.dmp

Filesize
40KB

Download
memory/3700-3-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/3700-11-0x00000000033E0000-0x00000000033F2000-memory.dmp

Filesize
72KB

Download