dcrat | 68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Size

1.5MB
MD5

d38d717691c05fac4769e664d6e53248
SHA1

33bef9a88e278cc160f053a9ba87b2a16f7108b7
SHA256

68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46
SHA512

811186aaeece8a84e6c6bf6b520660858a12a57229b9bb337f1edf916435b9d8679c301ba5737f6233e06c47965eedde7d522a8cb04d782705522ab2cf488c09
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\upfc.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\upfc.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInput\\TextInputHost.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\upfc.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInput\\TextInputHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.PredictionUnit\\SppExtComObj.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\upfc.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInput\\TextInputHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.PredictionUnit\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\RuntimeBroker.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\upfc.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInput\\TextInputHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.PredictionUnit\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\PhoneOm\\spoolsv.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\upfc.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInput\\TextInputHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.PredictionUnit\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\PhoneOm\\spoolsv.exe\", \"C:\\Windows\\System32\\SettingsHandlers_AnalogShell\\fontdrvhost.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Mail\\upfc.exe\", \"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInput\\TextInputHost.exe\", \"C:\\Windows\\System32\\Windows.Internal.PredictionUnit\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\PhoneOm\\spoolsv.exe\", \"C:\\Windows\\System32\\SettingsHandlers_AnalogShell\\fontdrvhost.exe\", \"C:\\Documents and Settings\\lsass.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2040	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2040	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	2040	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2040	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2040	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2040	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	2040	schtasks.exe	83

UAC bypass 3 TTPs 63 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4412	powershell.exe
1828	powershell.exe
4672	powershell.exe
2404	powershell.exe
3772	powershell.exe
856	powershell.exe
4160	powershell.exe
5012	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 20 IoCs

pid	Process
1180	SppExtComObj.exe
1968	SppExtComObj.exe
3272	SppExtComObj.exe
440	SppExtComObj.exe
3192	SppExtComObj.exe
4664	SppExtComObj.exe
4568	SppExtComObj.exe
2828	SppExtComObj.exe
960	SppExtComObj.exe
3840	SppExtComObj.exe
1560	SppExtComObj.exe
816	SppExtComObj.exe
3792	SppExtComObj.exe
4192	SppExtComObj.exe
4976	SppExtComObj.exe
1184	SppExtComObj.exe
2988	SppExtComObj.exe
2544	SppExtComObj.exe
3752	SppExtComObj.exe
4420	SppExtComObj.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\SettingsHandlers_AnalogShell\\fontdrvhost.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Mail\\upfc.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Windows Mail\\upfc.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInput\\TextInputHost.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\Windows.Internal.PredictionUnit\\SppExtComObj.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\PhoneOm\\spoolsv.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Documents and Settings\\lsass.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Documents and Settings\\lsass.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\SystemApps\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\InputApp\\TextInput\\TextInputHost.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\Windows.Internal.PredictionUnit\\SppExtComObj.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\RuntimeBroker.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.371\\RuntimeBroker.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\PhoneOm\\spoolsv.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\SettingsHandlers_AnalogShell\\fontdrvhost.exe\""	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Checks whether UAC is enabled 1 TTPs 42 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\PhoneOm\spoolsv.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\Windows.Internal.PredictionUnit\e1ef82546f0b02	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\PhoneOm\spoolsv.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\SettingsHandlers_AnalogShell\fontdrvhost.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\SettingsHandlers_AnalogShell\5b884080fd4f94	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\System32\PhoneOm\f3b6ecef712a24	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\Windows.Internal.PredictionUnit\RCXAD4A.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\PhoneOm\RCXB153.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\SettingsHandlers_AnalogShell\RCXB3C5.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\System32\SettingsHandlers_AnalogShell\fontdrvhost.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\upfc.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Program Files\Windows Mail\upfc.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Program Files\Windows Mail\ea1d8f6d871115	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\RuntimeBroker.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\9e8d7a4ca61bd9	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Program Files\Windows Mail\RCXA941.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\RCXAF4F.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\RuntimeBroker.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\22eafd247d37c3	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\RCXAB46.tmp	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3752	schtasks.exe
4972	schtasks.exe
4956	schtasks.exe
3436	schtasks.exe
3296	schtasks.exe
348	schtasks.exe
2884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4412	powershell.exe
3772	powershell.exe
856	powershell.exe
4672	powershell.exe
2404	powershell.exe
1828	powershell.exe
5012	powershell.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4160	powershell.exe
4160	powershell.exe
4672	powershell.exe
4672	powershell.exe
2404	powershell.exe
2404	powershell.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
4412	powershell.exe
4412	powershell.exe
1828	powershell.exe
1828	powershell.exe
856	powershell.exe
856	powershell.exe
3772	powershell.exe
3772	powershell.exe
5012	powershell.exe
5012	powershell.exe
4160	powershell.exe
1180	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	1180	SppExtComObj.exe
Token: SeDebugPrivilege	1968	SppExtComObj.exe
Token: SeDebugPrivilege	3272	SppExtComObj.exe
Token: SeDebugPrivilege	440	SppExtComObj.exe
Token: SeDebugPrivilege	3192	SppExtComObj.exe
Token: SeDebugPrivilege	4664	SppExtComObj.exe
Token: SeDebugPrivilege	4568	SppExtComObj.exe
Token: SeDebugPrivilege	2828	SppExtComObj.exe
Token: SeDebugPrivilege	960	SppExtComObj.exe
Token: SeDebugPrivilege	3840	SppExtComObj.exe
Token: SeDebugPrivilege	1560	SppExtComObj.exe
Token: SeDebugPrivilege	816	SppExtComObj.exe
Token: SeDebugPrivilege	3792	SppExtComObj.exe
Token: SeDebugPrivilege	4192	SppExtComObj.exe
Token: SeDebugPrivilege	4976	SppExtComObj.exe
Token: SeDebugPrivilege	1184	SppExtComObj.exe
Token: SeDebugPrivilege	2988	SppExtComObj.exe
Token: SeDebugPrivilege	2544	SppExtComObj.exe
Token: SeDebugPrivilege	3752	SppExtComObj.exe
Token: SeDebugPrivilege	4420	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 4160	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	92
PID 4408 wrote to memory of 4160	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	92
PID 4408 wrote to memory of 5012	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	93
PID 4408 wrote to memory of 5012	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	93
PID 4408 wrote to memory of 4412	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	94
PID 4408 wrote to memory of 4412	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	94
PID 4408 wrote to memory of 1828	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	95
PID 4408 wrote to memory of 1828	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	95
PID 4408 wrote to memory of 4672	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	96
PID 4408 wrote to memory of 4672	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	96
PID 4408 wrote to memory of 2404	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	97
PID 4408 wrote to memory of 2404	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	97
PID 4408 wrote to memory of 3772	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	98
PID 4408 wrote to memory of 3772	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	98
PID 4408 wrote to memory of 856	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	99
PID 4408 wrote to memory of 856	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	99
PID 4408 wrote to memory of 1180	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	108
PID 4408 wrote to memory of 1180	4408	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe	108
PID 1180 wrote to memory of 608	1180	SppExtComObj.exe	109
PID 1180 wrote to memory of 608	1180	SppExtComObj.exe	109
PID 1180 wrote to memory of 3708	1180	SppExtComObj.exe	110
PID 1180 wrote to memory of 3708	1180	SppExtComObj.exe	110
PID 608 wrote to memory of 1968	608	WScript.exe	113
PID 608 wrote to memory of 1968	608	WScript.exe	113
PID 1968 wrote to memory of 2400	1968	SppExtComObj.exe	116
PID 1968 wrote to memory of 2400	1968	SppExtComObj.exe	116
PID 1968 wrote to memory of 2388	1968	SppExtComObj.exe	117
PID 1968 wrote to memory of 2388	1968	SppExtComObj.exe	117
PID 2400 wrote to memory of 3272	2400	WScript.exe	125
PID 2400 wrote to memory of 3272	2400	WScript.exe	125
PID 3272 wrote to memory of 4804	3272	SppExtComObj.exe	126
PID 3272 wrote to memory of 4804	3272	SppExtComObj.exe	126
PID 3272 wrote to memory of 1696	3272	SppExtComObj.exe	127
PID 3272 wrote to memory of 1696	3272	SppExtComObj.exe	127
PID 4804 wrote to memory of 440	4804	WScript.exe	130
PID 4804 wrote to memory of 440	4804	WScript.exe	130
PID 440 wrote to memory of 4352	440	SppExtComObj.exe	131
PID 440 wrote to memory of 4352	440	SppExtComObj.exe	131
PID 440 wrote to memory of 1484	440	SppExtComObj.exe	132
PID 440 wrote to memory of 1484	440	SppExtComObj.exe	132
PID 4352 wrote to memory of 3192	4352	WScript.exe	134
PID 4352 wrote to memory of 3192	4352	WScript.exe	134
PID 3192 wrote to memory of 1528	3192	SppExtComObj.exe	135
PID 3192 wrote to memory of 1528	3192	SppExtComObj.exe	135
PID 3192 wrote to memory of 1644	3192	SppExtComObj.exe	136
PID 3192 wrote to memory of 1644	3192	SppExtComObj.exe	136
PID 1528 wrote to memory of 4664	1528	WScript.exe	137
PID 1528 wrote to memory of 4664	1528	WScript.exe	137
PID 4664 wrote to memory of 3692	4664	SppExtComObj.exe	138
PID 4664 wrote to memory of 3692	4664	SppExtComObj.exe	138
PID 4664 wrote to memory of 3584	4664	SppExtComObj.exe	139
PID 4664 wrote to memory of 3584	4664	SppExtComObj.exe	139
PID 3692 wrote to memory of 4568	3692	WScript.exe	140
PID 3692 wrote to memory of 4568	3692	WScript.exe	140
PID 4568 wrote to memory of 4084	4568	SppExtComObj.exe	141
PID 4568 wrote to memory of 4084	4568	SppExtComObj.exe	141
PID 4568 wrote to memory of 640	4568	SppExtComObj.exe	142
PID 4568 wrote to memory of 640	4568	SppExtComObj.exe	142
PID 4084 wrote to memory of 2828	4084	WScript.exe	143
PID 4084 wrote to memory of 2828	4084	WScript.exe	143
PID 2828 wrote to memory of 3836	2828	SppExtComObj.exe	144
PID 2828 wrote to memory of 3836	2828	SppExtComObj.exe	144
PID 2828 wrote to memory of 3508	2828	SppExtComObj.exe	145
PID 2828 wrote to memory of 3508	2828	SppExtComObj.exe	145

System policy modification 1 TTPs 63 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe
"C:\Users\Admin\AppData\Local\Temp\68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.371\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PhoneOm\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\SettingsHandlers_AnalogShell\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
  "C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1180
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e05f8d54-3d63-4c21-baa0-10da7c6c9f9f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:608
  - - C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
      C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1968
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3fe7db8-dc2d-48bb-8d76-1ebaf51023f4.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2efdb9ec-0623-47a3-b6df-cc3ace4142ad.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90e0ae3f-81f2-430a-92bd-8213a7004134.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46d9e565-368e-478f-aa29-250565592899.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbeec602-c83a-4213-943d-2102bcd7e018.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbbcb475-dab2-45e9-8c7c-f64f7f708a6a.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        16⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c9320e0-e3ac-4c2d-84bd-f2d485ab8a52.vbs"
        17⤵
        
        PID:3836
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        18⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\253b0055-e7da-402e-9c5d-308ffe3038bb.vbs"
        19⤵
        
        PID:3436
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        20⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22768550-35ef-4397-aefd-5bb057734921.vbs"
        21⤵
        
        PID:4852
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        22⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\878524db-0b0f-4b01-9c16-cca9de551a4c.vbs"
        23⤵
        
        PID:2168
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        24⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a80af0b5-86d5-454e-975e-c6b94bf4dfd8.vbs"
        25⤵
        
        PID:2156
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        26⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1cc613d-7354-4f17-b26a-23c33dbf1d83.vbs"
        27⤵
        
        PID:3540
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        28⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d992993f-d479-4048-a06d-2c7dbf6251c0.vbs"
        29⤵
        
        PID:2640
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        30⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e5f3ba5-e7eb-4f1f-91b4-b5b64e8d10df.vbs"
        31⤵
        
        PID:2892
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        32⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aabf96bb-1078-42c7-8fc0-7bb2906c68c3.vbs"
        33⤵
        
        PID:4852
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        34⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce4fd56f-a939-4e64-a32a-3b2fc5710474.vbs"
        35⤵
        
        PID:4068
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        36⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5482223a-506f-4487-844c-904e54a66ea5.vbs"
        37⤵
        
        PID:3836
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        38⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa38a180-9992-4886-87f4-719555c0747f.vbs"
        39⤵
        
        PID:4260
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        
        C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe
        40⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ce55e8-2a8d-4ce9-b79a-d7f2f5d7830b.vbs"
        41⤵
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ecdf4c34-4952-49c4-be5f-a3bdf8ad5ed0.vbs"
        41⤵
        
        PID:3228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58718544-fb02-49a5-8560-380c2ae670ca.vbs"
        39⤵
        
        PID:4352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b2f6e70-f33c-44cb-bdb9-98d02c04f1fc.vbs"
        37⤵
        
        PID:3300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0d3a354-eb25-4adb-9fc5-57a02a3a9758.vbs"
        35⤵
        
        PID:3512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a5429bc-2c63-432b-af72-cfa4ad7d3285.vbs"
        33⤵
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5bf4aa7-ce96-4fa4-9783-57301c9809b4.vbs"
        31⤵
        
        PID:1880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad6036ec-e45a-49ed-a956-8f0a0dbcf41b.vbs"
        29⤵
        
        PID:4160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b701d225-e909-48ff-93cc-b8502dfaa9e9.vbs"
        27⤵
        
        PID:3196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\773626fd-43c1-4932-b46d-9f4ce62cb546.vbs"
        25⤵
        
        PID:3272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e04307d4-4e5e-49cf-a3f8-080e6bb2ae39.vbs"
        23⤵
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c335f654-6a54-4fa1-be1e-6190dca4ce48.vbs"
        21⤵
        
        PID:3632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55f8728d-89e1-47ec-ac39-a6fa1ea2e3ed.vbs"
        19⤵
        
        PID:5092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d925410-3966-4bd7-af45-470ee346405b.vbs"
        17⤵
        
        PID:3508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9509f1cb-7480-4b5d-9096-779d7b73d58c.vbs"
        15⤵
        
        PID:640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84d9fefd-df7b-4891-bd8c-ba192cacd1da.vbs"
        13⤵
        
        PID:3584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6f57be7-d3ab-43ff-ab77-daae5f724f94.vbs"
        11⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\219eafad-07e1-44b4-b918-3b935f42b759.vbs"
        9⤵
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c580b9aa-26b2-4288-b251-816d8eceef87.vbs"
        7⤵
        
        PID:1696
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c79879c-d3e0-4e10-ace7-ad5c03459beb.vbs"
        5⤵
        
        PID:2388
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0a2d2ed-38e7-44f1-a023-c74209cf29aa.vbs"
    3⤵
    PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInput\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Internal.PredictionUnit\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.371\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\PhoneOm\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\SettingsHandlers_AnalogShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Documents and Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\22768550-35ef-4397-aefd-5bb057734921.vbs

Filesize
744B

MD5
0138e444cc71bf44c47ecfb8f4535a4d

SHA1
ef06b2b4daff10f541f22580c30204a93185f499

SHA256
3849593a62895bcc5db2444909fb79e476285899f0974e7eb8bcf86019f72927

SHA512
bcc179b900998a03870b63d8928beeef4312362cb5a8fabf1b1e9dd8a3ac582058f7e89d50e6d2757ffe1fdcd1762c39e9836428167d459d6eaa61d7f49b01dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\253b0055-e7da-402e-9c5d-308ffe3038bb.vbs

Filesize
743B

MD5
d7f3fa3df181b28fade5cf7809c8e078

SHA1
2ffb4bc2d4f40992437dcfaf72d7d508891549e3

SHA256
40ea2bb2368a286100b80f8ef46f669faada60eb2080d18a55db31cf1bae8cfb

SHA512
830aa28cc428899fdd7ae8b3761ec4232cc898a000a2ff3d18cc0a59b0a12747b5c20c69890c862e88a652371183f9a925c095f253b8dac4458d893d94983c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\2efdb9ec-0623-47a3-b6df-cc3ace4142ad.vbs

Filesize
744B

MD5
98b14528229f15c1f6b43898d63437a7

SHA1
922e76c8edab91fea144fea902fce55cc7b11586

SHA256
4ad9dbaa578be2c60b07efbc0b1a06f5b28771b343569848db1e82ccde361ea7

SHA512
2a990deba8d009dd0548d21e023f0ac60cf517ef728aa9dbae8495bef01bcd0a583e2c718a5d519326a99d0c3cdefd1fa63c57fc9db7034be6d025730d08fdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\46d9e565-368e-478f-aa29-250565592899.vbs

Filesize
744B

MD5
67819590505ab776321b9621d8d58256

SHA1
317f7e78ef9f1cf3e483d1f985c49016a2055fe0

SHA256
a76cec4c1f8197b4869e7597041ad23793037dc84ecaebeb93b1bb7e8017043b

SHA512
66b8e43e9d6cd602c9949a1342c5816df99a1337cd4a6803820bed6ca39ba43cf50f2939c6e22706bb19c78eb232488d41a8fbe2dfa49eb34c3277cdf8ad823a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c9320e0-e3ac-4c2d-84bd-f2d485ab8a52.vbs

Filesize
744B

MD5
30eece43946f692865b366c2a6949213

SHA1
16c55c6c4ad81d40036525712f90c528c15e9549

SHA256
ec90fb6a39766bcf3815989b6e6797a5f407688db1fdda694bf0b5cd8e0894ac

SHA512
9d9ad468900d7135078d4f534aa629177fb9be498b22f7bfad585f00c04ef333a9c2193f4464ce3b2b698b1bceeae01b482262597813cd44dd6a5cf06a50caba

Download Submit
C:\Users\Admin\AppData\Local\Temp\878524db-0b0f-4b01-9c16-cca9de551a4c.vbs

Filesize
744B

MD5
e6b0317cff5308c02e79743266d55739

SHA1
35973e7a3377e91d1b89ce39b230ef29986ee608

SHA256
06c3d55c1689c82f79634afcfb6e5fda6ff1498de71d76fcf2885856b285f011

SHA512
5f6c43fee82af8927017901e4673ffb030da8eed984499a31a1f5293921caf11178d10d603847664335f9591eab6906a8c01204fb7959cba3270797783cebddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\90e0ae3f-81f2-430a-92bd-8213a7004134.vbs

Filesize
743B

MD5
7f2f285b123c8f03a792d923bbf2c782

SHA1
95e155750748d87bc0e03bbadc3a86b3853b41a4

SHA256
390d55b345f8363b77269676af1457dc40bef570eecc1a8d69af648d9f6ec234

SHA512
bba622d6e97af920700bf00c60e2f0baae2e98d0978186732d8c035b3f4e1e999155a5343e3226f433542d7acee5e13f0aa1461a6f424a0c64b36192e7198dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqsq2o5a.k5h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1cc613d-7354-4f17-b26a-23c33dbf1d83.vbs

Filesize
744B

MD5
aa694467919c62bea7d4a7f686b4ed12

SHA1
3be51f1a75b060a41ed57092bb3c53b7eeeac145

SHA256
94e55384e5a23d29dcec48c56e96041e3f57e29336c4e314641b11d4b74f81cf

SHA512
7122b8eeb0f1a2993b549c2361fb304575dd2b2eb2ba5e5aa587e8ea193c695832c552d284735ea80dc7e837820d8b808757fd76135355d7c73e8ea841a8db00

Download Submit
C:\Users\Admin\AppData\Local\Temp\a80af0b5-86d5-454e-975e-c6b94bf4dfd8.vbs

Filesize
743B

MD5
652bfec4f18025801ad82552416e6d7b

SHA1
29965ddad1725dc9c74e3f90d773e0ca0ebb62a2

SHA256
ddc1586e56dc58697ec584544ac7618ddfa459d431884884f01d5d5c7ca71310

SHA512
3eab5d571eafc689ab3d0626be93535fb448aeb4c194ac944105b21520fe8b59608d2deefffe5110a2b54b44de64d306f7e40cd0c0852d32ebbd4365c4a1246b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbeec602-c83a-4213-943d-2102bcd7e018.vbs

Filesize
744B

MD5
47f6df604bb5860b5241dbb9613a5b83

SHA1
34cb8bd357066d9382d1732a36c83e354ac0509f

SHA256
e30064068ef1f07dad8f3904dd56f1088560d1617ffad67f827b3042c2c13a82

SHA512
ac290dec609cbc5947a7818aa04f6dd8bd3fe1c7645136d4412231d7594bd6d3a462daa170cdc18c8e62fd6b6871c3a54e519e3553c5c642e0a53e8ae4eb04fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0a2d2ed-38e7-44f1-a023-c74209cf29aa.vbs

Filesize
520B

MD5
e665a11a0fa3ef6f583dc2c44e9f5920

SHA1
bb1018752228a5b9fde30387687c10fc0d52b780

SHA256
471f11c26fae741825fd169ef11b623100390384de5bb1bf7db3046fa5ea85ab

SHA512
3f0aeff0cc0dfdcd35b4040c6aeef11a15e328e08b942f388aba90bdf9317bb2fd9c760fa8b0bb4f64425403a920449925e4fed85eac3f0098b5971576c2caa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d992993f-d479-4048-a06d-2c7dbf6251c0.vbs

Filesize
744B

MD5
90f2dbfb3ab17137a9b2d165207dc282

SHA1
f6cf106ea136ae07fd869cacda37baeca43e6733

SHA256
5f10554e6edbee85e79ff1cf395c1bc8366d0d13edea06a2dc2358fdfb2a5a1b

SHA512
0075e0dedf15cfe0e9c5c5412c82ea567add42cd891ca463fa2c47599a9fe165589230eb75883af23286b16b44b9a514d6c2f5b64bc9fb601fd446deccbfca17

Download Submit
C:\Users\Admin\AppData\Local\Temp\e05f8d54-3d63-4c21-baa0-10da7c6c9f9f.vbs

Filesize
744B

MD5
0fede330382caa93f86803e519994a90

SHA1
0863d8830ddb7a7c28a4f2c643d91a83e8cc58d4

SHA256
562a5fcb7276adbbb084ecd74d69da2511d53a2e5b28df608a0ff0e873913b40

SHA512
d008adbccd5abc20a151872aa53b6db66733def9a2524086e53ea050d9b43160d5dafafa9048ca17a97c9f7a41569680c376238e5f593261d004f76c23720408

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3fe7db8-dc2d-48bb-8d76-1ebaf51023f4.vbs

Filesize
744B

MD5
1debfaf0a1e06c17ab3210cdfe116b07

SHA1
c323481da671218de53c31ee75ed1d0a88f7fd26

SHA256
7004369ee034123662be2d2fe9737f0c842d2535ed240a17b124c639d8dc17e5

SHA512
c42a3134db44632a75744dfb0c9966dddfadc2f34646a5e01fcdf087c59c8e90de286a3171ec5eb3613bc0b15ec0a9dfc48499ba343d1353551142a9d971d98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbbcb475-dab2-45e9-8c7c-f64f7f708a6a.vbs

Filesize
744B

MD5
93f0738f90ac71deab6b17fdf90f58bf

SHA1
601315804d5df4b1a156aac6c4a1a3a36ecfcc3c

SHA256
f24f8636820bf4393ec44f2da2c464b4c4403c272a1488a030ac202969169f71

SHA512
6075c410215a5dc8819b57c08edaf80656bbc63a5334f7ac59792d2d1dda318b133b65a07a598ba7ac716dae82594e3070bfcbd282efd1ebc495689e9dfda81e

Download Submit
C:\Windows\System32\PhoneOm\spoolsv.exe

Filesize
1.5MB

MD5
d38d717691c05fac4769e664d6e53248

SHA1
33bef9a88e278cc160f053a9ba87b2a16f7108b7

SHA256
68acdb1a4e4a4abd1761b84e70428ab30c304cb51b3a141b1e0de19592ca3d46

SHA512
811186aaeece8a84e6c6bf6b520660858a12a57229b9bb337f1edf916435b9d8679c301ba5737f6233e06c47965eedde7d522a8cb04d782705522ab2cf488c09

Download Submit
memory/816-365-0x00000000030C0000-0x00000000030D2000-memory.dmp

Filesize
72KB

Download
memory/1560-353-0x0000000001290000-0x00000000012A2000-memory.dmp

Filesize
72KB

Download
memory/1968-250-0x0000000002C50000-0x0000000002C62000-memory.dmp

Filesize
72KB

Download
memory/2544-418-0x0000000003040000-0x0000000003052000-memory.dmp

Filesize
72KB

Download
memory/2828-319-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/3192-285-0x0000000001350000-0x0000000001362000-memory.dmp

Filesize
72KB

Download
memory/3272-262-0x0000000000AF0000-0x0000000000B02000-memory.dmp

Filesize
72KB

Download
memory/4408-0-0x00007FF9D97A3000-0x00007FF9D97A5000-memory.dmp

Filesize
8KB

Download
memory/4408-15-0x000000001B690000-0x000000001B69A000-memory.dmp

Filesize
40KB

Download
memory/4408-25-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

Filesize
10.8MB

Download
memory/4408-18-0x000000001BCD0000-0x000000001BCD8000-memory.dmp

Filesize
32KB

Download
memory/4408-10-0x000000001B640000-0x000000001B650000-memory.dmp

Filesize
64KB

Download
memory/4408-16-0x000000001B6A0000-0x000000001B6A8000-memory.dmp

Filesize
32KB

Download
memory/4408-14-0x000000001B680000-0x000000001B68C000-memory.dmp

Filesize
48KB

Download
memory/4408-13-0x000000001B670000-0x000000001B67A000-memory.dmp

Filesize
40KB

Download
memory/4408-9-0x000000001B630000-0x000000001B63C000-memory.dmp

Filesize
48KB

Download
memory/4408-8-0x000000001B620000-0x000000001B628000-memory.dmp

Filesize
32KB

Download
memory/4408-12-0x000000001B660000-0x000000001B668000-memory.dmp

Filesize
32KB

Download
memory/4408-6-0x0000000002B10000-0x0000000002B1A000-memory.dmp

Filesize
40KB

Download
memory/4408-17-0x000000001BCC0000-0x000000001BCCC000-memory.dmp

Filesize
48KB

Download
memory/4408-11-0x000000001B650000-0x000000001B660000-memory.dmp

Filesize
64KB

Download
memory/4408-220-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

Filesize
10.8MB

Download
memory/4408-7-0x0000000002B30000-0x0000000002B3C000-memory.dmp

Filesize
48KB

Download
memory/4408-5-0x0000000002B20000-0x0000000002B2C000-memory.dmp

Filesize
48KB

Download
memory/4408-3-0x0000000002A50000-0x0000000002A58000-memory.dmp

Filesize
32KB

Download
memory/4408-24-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

Filesize
10.8MB

Download
memory/4408-4-0x0000000002B00000-0x0000000002B12000-memory.dmp

Filesize
72KB

Download
memory/4408-21-0x000000001BDF0000-0x000000001BDF8000-memory.dmp

Filesize
32KB

Download
memory/4408-2-0x00007FF9D97A0000-0x00007FF9DA261000-memory.dmp

Filesize
10.8MB

Download
memory/4408-1-0x0000000000850000-0x00000000009CE000-memory.dmp

Filesize
1.5MB

Download
memory/4408-20-0x000000001BCE0000-0x000000001BCEC000-memory.dmp

Filesize
48KB

Download
memory/4412-141-0x000001F9E43E0000-0x000001F9E4402000-memory.dmp

Filesize
136KB

Download
memory/4420-433-0x00000000011E0000-0x00000000011F2000-memory.dmp

Filesize
72KB

Download