colibri | 19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16f

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Size

4.9MB
MD5

25496308c3b681092d00992320e7dcf0
SHA1

f016822cb907ffbd1aa6ffaf9b4e00dfc789e7bf
SHA256

19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16f
SHA512

811433d23078a129180f7067aa9c9d904e0c001b8adb9876bcaee096014814d57faf457c4d3a8f20ca05b0d4c08d4a311599bc1cfe57db478ee5b5282196038e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	764	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	764	schtasks.exe	85

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4764-3-0x000000001B800000-0x000000001B92E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2884	powershell.exe
1800	powershell.exe
3600	powershell.exe
4748	powershell.exe
4440	powershell.exe
2252	powershell.exe
1768	powershell.exe
2072	powershell.exe
2600	powershell.exe
4184	powershell.exe
4048	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 39 IoCs

pid	Process
1844	tmpC5B3.tmp.exe
408	tmpC5B3.tmp.exe
3824	wininit.exe
540	tmp11AE.tmp.exe
4032	tmp11AE.tmp.exe
32	wininit.exe
4936	tmp2D64.tmp.exe
2780	tmp2D64.tmp.exe
1908	wininit.exe
1648	tmp5DDA.tmp.exe
4672	tmp5DDA.tmp.exe
4660	wininit.exe
4764	tmp79A0.tmp.exe
4716	tmp79A0.tmp.exe
3932	tmp79A0.tmp.exe
2860	tmp79A0.tmp.exe
3696	tmp79A0.tmp.exe
1200	wininit.exe
712	tmpA9F7.tmp.exe
3948	tmpA9F7.tmp.exe
380	wininit.exe
2660	tmpC58D.tmp.exe
2936	tmpC58D.tmp.exe
1460	wininit.exe
2384	tmpE0A7.tmp.exe
4068	tmpE0A7.tmp.exe
5092	wininit.exe
1736	tmp111D.tmp.exe
4220	tmp111D.tmp.exe
4672	wininit.exe
2416	tmp40A9.tmp.exe
368	tmp40A9.tmp.exe
1192	wininit.exe
4488	tmp7073.tmp.exe
4408	tmp7073.tmp.exe
3524	wininit.exe
2840	tmp8BAC.tmp.exe
3384	tmp8BAC.tmp.exe
4880	tmp8BAC.tmp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\icsxml\lsass.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 408	1844	tmpC5B3.tmp.exe	142
PID 540 set thread context of 4032	540	tmp11AE.tmp.exe	188
PID 4936 set thread context of 2780	4936	tmp2D64.tmp.exe	198
PID 1648 set thread context of 4672	1648	tmp5DDA.tmp.exe	209
PID 2860 set thread context of 3696	2860	tmp79A0.tmp.exe	221
PID 712 set thread context of 3948	712	tmpA9F7.tmp.exe	230
PID 2660 set thread context of 2936	2660	tmpC58D.tmp.exe	240
PID 2384 set thread context of 4068	2384	tmpE0A7.tmp.exe	250
PID 1736 set thread context of 4220	1736	tmp111D.tmp.exe	259
PID 2416 set thread context of 368	2416	tmp40A9.tmp.exe	268
PID 4488 set thread context of 4408	4488	tmp7073.tmp.exe	278
PID 3384 set thread context of 4880	3384	tmp8BAC.tmp.exe	289

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\csrss.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\886983d96e3d3e	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\VideoLAN\VLC\skins\Idle.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\VideoLAN\RCXCD87.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCXDD5D.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\Windows Mail\RCXDFDF.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\dwm.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXD1B0.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXE830.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\Crashpad\unsecapp.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\Windows Mail\19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\121e5b5079f7c0	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\RCXC6DD.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCXC8F1.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\VideoLAN\fontdrvhost.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\VideoLAN\fontdrvhost.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\VideoLAN\VLC\skins\6ccacd8608530f	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\csrss.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\VideoLAN\5b884080fd4f94	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Microsoft\dwm.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\dotnet\swidtag\55b276f4edf653	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\Crashpad\29c1c3cc0f7685	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXC4B8.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCXD3C4.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Common Files\Services\9e8d7a4ca61bd9	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\dotnet\swidtag\StartMenuExperienceHost.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXCB06.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\Idle.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\Windows Mail\19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Microsoft\6cb0b6c459d5d3	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\7a0fd90576e088	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\dotnet\swidtag\StartMenuExperienceHost.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Program Files\Crashpad\RCXEAB1.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\Windows Mail\b208a1cf430dcc	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Program Files\Crashpad\unsecapp.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Boot\services.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\InputMethod\SHARED\dllhost.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\InputMethod\SHARED\RCXE61B.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\InputMethod\SHARED\dllhost.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\Sun\Java\fontdrvhost.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\Sun\Java\5b884080fd4f94	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File created	C:\Windows\InputMethod\SHARED\5940a34987c991	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\Sun\Java\RCXCF9B.tmp	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
File opened for modification	C:\Windows\Sun\Java\fontdrvhost.exe	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79A0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79A0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE0A7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8BAC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp11AE.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79A0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA9F7.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp111D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8BAC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5DDA.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp79A0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7073.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2D64.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC58D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC5B3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp40A9.tmp.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3012	schtasks.exe
4140	schtasks.exe
3600	schtasks.exe
732	schtasks.exe
4716	schtasks.exe
4784	schtasks.exe
700	schtasks.exe
2076	schtasks.exe
4748	schtasks.exe
5108	schtasks.exe
3240	schtasks.exe
1960	schtasks.exe
2712	schtasks.exe
2020	schtasks.exe
5104	schtasks.exe
1620	schtasks.exe
3460	schtasks.exe
4864	schtasks.exe
1320	schtasks.exe
2008	schtasks.exe
2504	schtasks.exe
3108	schtasks.exe
4440	schtasks.exe
3128	schtasks.exe
1344	schtasks.exe
3820	schtasks.exe
2840	schtasks.exe
4392	schtasks.exe
3824	schtasks.exe
1012	schtasks.exe
1556	schtasks.exe
4388	schtasks.exe
4812	schtasks.exe
4672	schtasks.exe
400	schtasks.exe
1856	schtasks.exe
4380	schtasks.exe
3468	schtasks.exe
4532	schtasks.exe
2760	schtasks.exe
712	schtasks.exe
3528	schtasks.exe
2420	schtasks.exe
3644	schtasks.exe
1328	schtasks.exe
3948	schtasks.exe
1708	schtasks.exe
2516	schtasks.exe
3856	schtasks.exe
2072	schtasks.exe
4884	schtasks.exe
3740	schtasks.exe
3324	schtasks.exe
4908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
4048	powershell.exe
4048	powershell.exe
4184	powershell.exe
4184	powershell.exe
2600	powershell.exe
2600	powershell.exe
2884	powershell.exe
2884	powershell.exe
2072	powershell.exe
2072	powershell.exe
4440	powershell.exe
4440	powershell.exe
4748	powershell.exe
4748	powershell.exe
3600	powershell.exe
3600	powershell.exe
1800	powershell.exe
1800	powershell.exe
1768	powershell.exe
1768	powershell.exe
1768	powershell.exe
2252	powershell.exe
2252	powershell.exe
2600	powershell.exe
4048	powershell.exe
2252	powershell.exe
2884	powershell.exe
4184	powershell.exe
4440	powershell.exe
2072	powershell.exe
4748	powershell.exe
3600	powershell.exe
1800	powershell.exe
3824	wininit.exe
32	wininit.exe
1908	wininit.exe
4660	wininit.exe
1200	wininit.exe
380	wininit.exe
1460	wininit.exe
5092	wininit.exe
4672	wininit.exe
1192	wininit.exe
3524	wininit.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	3824	wininit.exe
Token: SeDebugPrivilege	32	wininit.exe
Token: SeDebugPrivilege	1908	wininit.exe
Token: SeDebugPrivilege	4660	wininit.exe
Token: SeDebugPrivilege	1200	wininit.exe
Token: SeDebugPrivilege	380	wininit.exe
Token: SeDebugPrivilege	1460	wininit.exe
Token: SeDebugPrivilege	5092	wininit.exe
Token: SeDebugPrivilege	4672	wininit.exe
Token: SeDebugPrivilege	1192	wininit.exe
Token: SeDebugPrivilege	3524	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 1844	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	140
PID 4764 wrote to memory of 1844	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	140
PID 4764 wrote to memory of 1844	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	140
PID 1844 wrote to memory of 408	1844	tmpC5B3.tmp.exe	142
PID 1844 wrote to memory of 408	1844	tmpC5B3.tmp.exe	142
PID 1844 wrote to memory of 408	1844	tmpC5B3.tmp.exe	142
PID 1844 wrote to memory of 408	1844	tmpC5B3.tmp.exe	142
PID 1844 wrote to memory of 408	1844	tmpC5B3.tmp.exe	142
PID 1844 wrote to memory of 408	1844	tmpC5B3.tmp.exe	142
PID 1844 wrote to memory of 408	1844	tmpC5B3.tmp.exe	142
PID 4764 wrote to memory of 2252	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	150
PID 4764 wrote to memory of 2252	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	150
PID 4764 wrote to memory of 1768	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	151
PID 4764 wrote to memory of 1768	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	151
PID 4764 wrote to memory of 2072	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	152
PID 4764 wrote to memory of 2072	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	152
PID 4764 wrote to memory of 2884	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	153
PID 4764 wrote to memory of 2884	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	153
PID 4764 wrote to memory of 2600	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	154
PID 4764 wrote to memory of 2600	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	154
PID 4764 wrote to memory of 3600	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	155
PID 4764 wrote to memory of 3600	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	155
PID 4764 wrote to memory of 1800	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	156
PID 4764 wrote to memory of 1800	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	156
PID 4764 wrote to memory of 4748	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	157
PID 4764 wrote to memory of 4748	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	157
PID 4764 wrote to memory of 4048	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	158
PID 4764 wrote to memory of 4048	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	158
PID 4764 wrote to memory of 4184	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	159
PID 4764 wrote to memory of 4184	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	159
PID 4764 wrote to memory of 4440	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	160
PID 4764 wrote to memory of 4440	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	160
PID 4764 wrote to memory of 1908	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	171
PID 4764 wrote to memory of 1908	4764	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe	171
PID 1908 wrote to memory of 4104	1908	cmd.exe	174
PID 1908 wrote to memory of 4104	1908	cmd.exe	174
PID 1908 wrote to memory of 3824	1908	cmd.exe	181
PID 1908 wrote to memory of 3824	1908	cmd.exe	181
PID 3824 wrote to memory of 4472	3824	wininit.exe	184
PID 3824 wrote to memory of 4472	3824	wininit.exe	184
PID 3824 wrote to memory of 1492	3824	wininit.exe	185
PID 3824 wrote to memory of 1492	3824	wininit.exe	185
PID 3824 wrote to memory of 540	3824	wininit.exe	186
PID 3824 wrote to memory of 540	3824	wininit.exe	186
PID 3824 wrote to memory of 540	3824	wininit.exe	186
PID 540 wrote to memory of 4032	540	tmp11AE.tmp.exe	188
PID 540 wrote to memory of 4032	540	tmp11AE.tmp.exe	188
PID 540 wrote to memory of 4032	540	tmp11AE.tmp.exe	188
PID 540 wrote to memory of 4032	540	tmp11AE.tmp.exe	188
PID 540 wrote to memory of 4032	540	tmp11AE.tmp.exe	188
PID 540 wrote to memory of 4032	540	tmp11AE.tmp.exe	188
PID 540 wrote to memory of 4032	540	tmp11AE.tmp.exe	188
PID 4472 wrote to memory of 32	4472	WScript.exe	191
PID 4472 wrote to memory of 32	4472	WScript.exe	191
PID 32 wrote to memory of 4536	32	wininit.exe	193
PID 32 wrote to memory of 4536	32	wininit.exe	193
PID 32 wrote to memory of 4544	32	wininit.exe	194
PID 32 wrote to memory of 4544	32	wininit.exe	194
PID 32 wrote to memory of 4936	32	wininit.exe	196
PID 32 wrote to memory of 4936	32	wininit.exe	196
PID 32 wrote to memory of 4936	32	wininit.exe	196
PID 4936 wrote to memory of 2780	4936	tmp2D64.tmp.exe	198
PID 4936 wrote to memory of 2780	4936	tmp2D64.tmp.exe	198
PID 4936 wrote to memory of 2780	4936	tmp2D64.tmp.exe	198

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe
"C:\Users\Admin\AppData\Local\Temp\19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4764
- C:\Users\Admin\AppData\Local\Temp\tmpC5B3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC5B3.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\tmpC5B3.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpC5B3.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gl9PPr7sC8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4104
- - C:\Recovery\WindowsRE\wininit.exe
    "C:\Recovery\WindowsRE\wininit.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3824
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33c984de-5d91-4dc2-b388-3dcea3b5a899.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:32
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ce91fd5-9b74-4f67-9653-f54f5147752f.vbs"
        6⤵
        
        PID:4536
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34bac464-bfd0-490d-b359-7e221ea5639d.vbs"
        8⤵
        
        PID:4720
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\353a68e3-97a7-43e0-9ca3-5a7138de6ee7.vbs"
        10⤵
        
        PID:1620
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6dd6f76-432d-4a9f-ad43-703ad21bd989.vbs"
        12⤵
        
        PID:720
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a143299e-515c-4864-b2d6-7b8ad7a78e96.vbs"
        14⤵
        
        PID:4188
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\791c1316-7acc-4f71-a3fb-23f06ea89720.vbs"
        16⤵
        
        PID:3896
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c88e386a-e58b-4e96-9189-4f8c9290b113.vbs"
        18⤵
        
        PID:3956
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc118c84-a4aa-46f3-810b-00c020f60af0.vbs"
        20⤵
        
        PID:1892
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c412984-7b56-447b-abba-f12c5925cae5.vbs"
        22⤵
        
        PID:3212
        
        C:\Recovery\WindowsRE\wininit.exe
        
        C:\Recovery\WindowsRE\wininit.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3271a2fe-2240-46ca-918b-fdc09de48752.vbs"
        24⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\637c155e-2ad2-4625-a5c0-e4bb0a13b486.vbs"
        24⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp8BAC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8BAC.tmp.exe"
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\tmp8BAC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8BAC.tmp.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\tmp8BAC.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8BAC.tmp.exe"
        26⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ab0758c-2fd9-40f1-9231-4fa0c2997516.vbs"
        22⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7073.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7073.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7073.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7073.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e17bdcc-b421-43d8-986f-2c3f729cb86c.vbs"
        20⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp40A9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp40A9.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp40A9.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp40A9.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d89eff97-cc52-4245-b6d6-c7df7918e651.vbs"
        18⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp111D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp111D.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp111D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp111D.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:4220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de2e9751-ddd1-4e61-a5de-df96a81e565c.vbs"
        16⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmpE0A7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE0A7.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmpE0A7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE0A7.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40d9175e-643a-47a2-926f-c3b59e446aad.vbs"
        14⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmpC58D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC58D.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmpC58D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC58D.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93712c0a-9df5-4400-85a0-e641f3d45474.vbs"
        12⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmpA9F7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA9F7.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\tmpA9F7.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA9F7.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89133cbe-53b9-4f35-9e19-9c885c12a653.vbs"
        10⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp79A0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp79A0.tmp.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp79A0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp79A0.tmp.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp79A0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp79A0.tmp.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp79A0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp79A0.tmp.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\tmp79A0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp79A0.tmp.exe"
        14⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04950525-9e2a-4d27-9fd1-7a0fcc2bba4f.vbs"
        8⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmp5DDA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5DDA.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp5DDA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5DDA.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4672
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56632e39-a681-46e9-b689-ef5266e90801.vbs"
        6⤵
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\tmp2D64.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2D64.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp2D64.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp2D64.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:2780
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5fa5c90-47d4-460e-89a3-0113d3c02ee2.vbs"
      4⤵
      PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\tmp11AE.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp11AE.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Users\Admin\AppData\Local\Temp\tmp11AE.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp11AE.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Sun\Java\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Sun\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\skins\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\skins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\swidtag\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\swidtag\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN1" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN1" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16fN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Pictures\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Documents\My Pictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Documents\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\InputMethod\SHARED\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\SHARED\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\fontdrvhost.exe

Filesize
4.9MB

MD5
25496308c3b681092d00992320e7dcf0

SHA1
f016822cb907ffbd1aa6ffaf9b4e00dfc789e7bf

SHA256
19635aef15d44c474acbf2d6e8a4e52ad016c056d264ad4e7b549473cb77e16f

SHA512
811433d23078a129180f7067aa9c9d904e0c001b8adb9876bcaee096014814d57faf457c4d3a8f20ca05b0d4c08d4a311599bc1cfe57db478ee5b5282196038e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\33c984de-5d91-4dc2-b388-3dcea3b5a899.vbs

Filesize
709B

MD5
3a8e1a14cca9c811c9a4a0020287b6a0

SHA1
021fbee05d9411cb3cea167784410ce62d633622

SHA256
c499e51c56cc327d837f6f710c3e476af6d31f83dd974f47c882a07c57d4e3b1

SHA512
6353bab20c05feb13017c5975292cd1ff3b58e1d16cb48f2b7bf20a9f157c762888d02db911e601c274acdb0a9f6701e9a004d699d957d808f6a8239bdc3efdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\34bac464-bfd0-490d-b359-7e221ea5639d.vbs

Filesize
709B

MD5
974cab73311ff484fd14587d007d7a7b

SHA1
066fbfa5bb536d84ca17fea6219f9005296870f1

SHA256
fe89a0f268671def532c5b15beb8372eb57715a978a206f7d1530d6be39c9a86

SHA512
b5176dedb633928acb7b15595d2d10621912ae20e4a8b12fc91df95e992e71210703d99fa1d2f096e002ab41c4c9ae6f2747aea55e301f2e98ad7b03a5eceba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\353a68e3-97a7-43e0-9ca3-5a7138de6ee7.vbs

Filesize
709B

MD5
fcadda197ff659cda309a1879b1fbfa9

SHA1
921e5f8e9dd2b8c4f9c2a673f578ddf50b86706f

SHA256
951b424f94bbb2175133143e56e97fef1faefac9d3db2fc0ce943127b914df43

SHA512
876e34e01bf662886ddd64ac4d7d3ddf1fa0e9987fc2ea13d8058ee945e199391e5ac0698547ecb83f20852535a2b42075f8db4b30ddcbff40857aca4acb8a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\791c1316-7acc-4f71-a3fb-23f06ea89720.vbs

Filesize
709B

MD5
41e6dd67bd93c70e87f97dd6080e03f9

SHA1
c4b480507635c293c51147d0b034b6306fc26b14

SHA256
67e19ec4d6bd78c5dcc75040fb2579db00b8a1a13f27f1f31d1369fdd742df24

SHA512
f327dbcf0a3f442e3650d60920f2a8c8dd18ccaa04b6728d7d2c274c49f4d00135466c0f55e9c41b59079dd81e2012bf95eebbc4701066ae855cffe1d87bfc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ce91fd5-9b74-4f67-9653-f54f5147752f.vbs

Filesize
707B

MD5
64c4edd589033cb8089e9c6e92dd8ab6

SHA1
7823043bb88e97c3c3b9a24aa71c691be0f07fc8

SHA256
4c0caad9e72fbdd3a5c770f4a7b2c2ef1c3d206862238a4ab7621ef2794dfa38

SHA512
7fee793519d648c3d6c49f96afaf8a2ad9dec8a0d0676a388f0b80a601874f178adb71f34203f524f1887155fff52dd4eff64c0963319335c740e1543229154c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbrsycoy.a2t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a143299e-515c-4864-b2d6-7b8ad7a78e96.vbs

Filesize
708B

MD5
46b19a9ab64cb41abe9fd00a04007bda

SHA1
daa4a24dca216b0f0bb6f6ba9a76645f79aa64b7

SHA256
333f1925fe68a910f35f7e439bc911fd6ab89f266542530ed28c261607303b22

SHA512
324c8f50445d2d7f86f7ebcc7142d757217fdc661324f195dd6f997626ab60bf31e1ffd0d70102613c9b100f1c95d18f0a3855cf9846d7b7da652bcf80fca8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6dd6f76-432d-4a9f-ad43-703ad21bd989.vbs

Filesize
709B

MD5
00c63848895a05d52ed0e2be208f0385

SHA1
c469b0b3951f4ecb76f677a89e7809fbe7b417cc

SHA256
badbd81e20c51cecab05eb20bbd2cd4075a75b1ae569b54ae19b9ad8588b38c8

SHA512
4006676e3050c13008d20d70e0bd6306235f174f93135cd206664baab82abc2aa704d799fc9e7fc1275afcf7dc58206bdad217712d043ad2de4336ebab74e676

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5fa5c90-47d4-460e-89a3-0113d3c02ee2.vbs

Filesize
485B

MD5
b65a50cf8dce8cb74fa7ef5658f3a2e5

SHA1
86034e7a401936e4de44ba3ec5a0513623523365

SHA256
d78b44dc736414aadf711eb23943974d86789e948fbb85f3a572de4054e895db

SHA512
2392698c78500319a0b634ed714cb98c7afc22ab4032f1f5d87822b7cf6e418905d337cde0c5a18c7181e3ccf7f63b6e7146dc110bba6d536697a4d64ecec849

Download Submit
C:\Users\Admin\AppData\Local\Temp\gl9PPr7sC8.bat

Filesize
198B

MD5
e7c561c304400fab9fb639dd704a0af0

SHA1
f7f784037b5f5761f46b28f82cd9a5475a00e5da

SHA256
8ae510114dba38667ec7aa901ec28d9bca69ac06ae7fe5d517e9c9609a12f93d

SHA512
08db2ff22280de540d5766a5a4d954919f280c7ede0f06cc83e818bb498c53d4c2353c28701c02661866cd821aa3a297ec55fd752cd10a74a1eca8b49ef0f6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC5B3.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\Documents\RCXE407.tmp

Filesize
4.9MB

MD5
4761fef1309f8c4d3d17f353abf67eae

SHA1
4602dc4aa988fb08e135602368ff75796a397d87

SHA256
508aa5e49e93fa3bd4c240894540290b3cc28a8250e52bb4b6db92b8ca02094b

SHA512
7d4f2afd21b66a6b3b89c4c50cbeea18c855ecd1dd36c3c20cdefce464a588dca7f70b774caa4ea59ca9f67c1b16a9fd519e15c5d1d4e208f0c0120567d20919

Download Submit
C:\Users\Default\Pictures\RCXE1F3.tmp

Filesize
4.9MB

MD5
acb959371bcb0bd9a6cda2bdd9583774

SHA1
d86b431418d9c9398f8d43b56b230c49a0247718

SHA256
6b48c38244a647d92e4ff08494bbf74f61d2da9f46ba2cfe086019dd9cddd51d

SHA512
9bcb04cb995a90d8b9b17a54f1699c5cb7aa1832e3d9666229a9fcd4d0e5a80ebf09f7c678e417f9707271cb3fafc5fda7bc890311aaa3e95ee7985e885dec83

Download Submit
memory/408-81-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1192-523-0x000000001C690000-0x000000001C6A2000-memory.dmp

Filesize
72KB

Download
memory/3824-324-0x0000000002EF0000-0x0000000002F02000-memory.dmp

Filesize
72KB

Download
memory/4048-211-0x0000017B5CEA0000-0x0000017B5CEC2000-memory.dmp

Filesize
136KB

Download
memory/4764-11-0x000000001B680000-0x000000001B692000-memory.dmp

Filesize
72KB

Download
memory/4764-196-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4764-156-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4764-142-0x00007FFF2B5F3000-0x00007FFF2B5F5000-memory.dmp

Filesize
8KB

Download
memory/4764-17-0x000000001B960000-0x000000001B968000-memory.dmp

Filesize
32KB

Download
memory/4764-18-0x000000001B970000-0x000000001B97C000-memory.dmp

Filesize
48KB

Download
memory/4764-16-0x000000001B950000-0x000000001B958000-memory.dmp

Filesize
32KB

Download
memory/4764-13-0x000000001B690000-0x000000001B69A000-memory.dmp

Filesize
40KB

Download
memory/4764-14-0x000000001B930000-0x000000001B93E000-memory.dmp

Filesize
56KB

Download
memory/4764-15-0x000000001B940000-0x000000001B94E000-memory.dmp

Filesize
56KB

Download
memory/4764-12-0x000000001C4C0000-0x000000001C9E8000-memory.dmp

Filesize
5.2MB

Download
memory/4764-0-0x00007FFF2B5F3000-0x00007FFF2B5F5000-memory.dmp

Filesize
8KB

Download
memory/4764-10-0x000000001B670000-0x000000001B67A000-memory.dmp

Filesize
40KB

Download
memory/4764-9-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4764-8-0x000000001B650000-0x000000001B666000-memory.dmp

Filesize
88KB

Download
memory/4764-5-0x000000001B6A0000-0x000000001B6F0000-memory.dmp

Filesize
320KB

Download
memory/4764-6-0x0000000002C00000-0x0000000002C08000-memory.dmp

Filesize
32KB

Download
memory/4764-7-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/4764-4-0x0000000002AD0000-0x0000000002AEC000-memory.dmp

Filesize
112KB

Download
memory/4764-3-0x000000001B800000-0x000000001B92E000-memory.dmp

Filesize
1.2MB

Download
memory/4764-2-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4764-1-0x00000000004E0000-0x00000000009D4000-memory.dmp

Filesize
5.0MB

Download