colibri | 7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81

Analysis

max time kernel
119s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Size

4.9MB
MD5

84c3e32da77210eb29452816fe3d4830
SHA1

073ef3fe85c0ec68ad52c88c76644a8c2a4c0411
SHA256

7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81
SHA512

d094bdaa1fe2c53ee7e955be38e295fbb09c7138865fa095aa2441d4b6faa49aa3773746e9f1e9e35677f7bb84dfec24e8525bdd774fdbe2e8b1867445294692
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	3580	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3580	schtasks.exe	83

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5036-3-0x000000001B4C0000-0x000000001B5EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2544	powershell.exe
3236	powershell.exe
4344	powershell.exe
4024	powershell.exe
2256	powershell.exe
4808	powershell.exe
3436	powershell.exe
4176	powershell.exe
4396	powershell.exe
4360	powershell.exe
4276	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 31 IoCs

pid	Process
2188	tmpA615.tmp.exe
4008	tmpA615.tmp.exe
2176	SearchApp.exe
4244	tmpE03E.tmp.exe
4800	tmpE03E.tmp.exe
1896	SearchApp.exe
3316	tmp10C4.tmp.exe
5084	tmp10C4.tmp.exe
2784	tmp10C4.tmp.exe
3392	tmp10C4.tmp.exe
660	SearchApp.exe
4436	tmp4253.tmp.exe
1976	tmp4253.tmp.exe
4400	SearchApp.exe
1284	tmp71D0.tmp.exe
1552	tmp71D0.tmp.exe
976	SearchApp.exe
1808	tmp8E31.tmp.exe
1976	tmp8E31.tmp.exe
5048	SearchApp.exe
2060	tmpBE79.tmp.exe
3264	tmpBE79.tmp.exe
1552	SearchApp.exe
764	tmpDAEA.tmp.exe
2752	tmpDAEA.tmp.exe
1976	SearchApp.exe
3256	SearchApp.exe
4400	tmp28EB.tmp.exe
3344	tmp28EB.tmp.exe
5032	SearchApp.exe
1624	SearchApp.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 4008	2188	tmpA615.tmp.exe	119
PID 4244 set thread context of 4800	4244	tmpE03E.tmp.exe	164
PID 2784 set thread context of 3392	2784	tmp10C4.tmp.exe	178
PID 4436 set thread context of 1976	4436	tmp4253.tmp.exe	188
PID 1284 set thread context of 1552	1284	tmp71D0.tmp.exe	198
PID 1808 set thread context of 1976	1808	tmp8E31.tmp.exe	209
PID 2060 set thread context of 3264	2060	tmpBE79.tmp.exe	218
PID 764 set thread context of 2752	764	tmpDAEA.tmp.exe	227
PID 4400 set thread context of 3344	4400	tmp28EB.tmp.exe	242

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\fontdrvhost.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Program Files (x86)\Windows Mail\69ddcba757bf72	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Program Files\Google\Chrome\5b884080fd4f94	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCXAED5.tmp	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXB36B.tmp	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\smss.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\66fc9ff0ee96c2	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Program Files\Google\Chrome\fontdrvhost.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXA684.tmp	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Program Files (x86)\Windows Mail\smss.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\sihost.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\sihost.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Program Files (x86)\WindowsPowerShell\9e8d7a4ca61bd9	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXB156.tmp	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXB56F.tmp	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\uk-UA\RuntimeBroker.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Windows\uk-UA\RuntimeBroker.exe	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File created	C:\Windows\uk-UA\9e8d7a4ca61bd9	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
File opened for modification	C:\Windows\uk-UA\RCXACC1.tmp	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp28EB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE03E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp10C4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp10C4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp10C4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8E31.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBE79.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA615.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4253.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp71D0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDAEA.tmp.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5068	schtasks.exe
1584	schtasks.exe
2704	schtasks.exe
4920	schtasks.exe
1008	schtasks.exe
4280	schtasks.exe
640	schtasks.exe
216	schtasks.exe
2732	schtasks.exe
4532	schtasks.exe
3240	schtasks.exe
4412	schtasks.exe
1164	schtasks.exe
672	schtasks.exe
892	schtasks.exe
1736	schtasks.exe
4244	schtasks.exe
2236	schtasks.exe
1040	schtasks.exe
3508	schtasks.exe
2404	schtasks.exe
3164	schtasks.exe
2760	schtasks.exe
3052	schtasks.exe
5048	schtasks.exe
3700	schtasks.exe
1928	schtasks.exe
3256	schtasks.exe
2736	schtasks.exe
2628	schtasks.exe
3264	schtasks.exe
2284	schtasks.exe
3812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
2544	powershell.exe
2544	powershell.exe
4276	powershell.exe
4276	powershell.exe
4344	powershell.exe
4344	powershell.exe
4024	powershell.exe
4024	powershell.exe
3436	powershell.exe
3436	powershell.exe
2256	powershell.exe
2256	powershell.exe
4808	powershell.exe
4808	powershell.exe
4396	powershell.exe
4360	powershell.exe
4396	powershell.exe
4360	powershell.exe
4176	powershell.exe
4176	powershell.exe
3236	powershell.exe
3236	powershell.exe
3236	powershell.exe
4276	powershell.exe
4344	powershell.exe
4024	powershell.exe
2544	powershell.exe
4396	powershell.exe
4176	powershell.exe
3436	powershell.exe
2256	powershell.exe
4808	powershell.exe
4360	powershell.exe
2176	SearchApp.exe
1896	SearchApp.exe
660	SearchApp.exe
4400	SearchApp.exe
976	SearchApp.exe
5048	SearchApp.exe
1552	SearchApp.exe
1976	SearchApp.exe
3256	SearchApp.exe
5032	SearchApp.exe
1624	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	2176	SearchApp.exe
Token: SeDebugPrivilege	1896	SearchApp.exe
Token: SeDebugPrivilege	660	SearchApp.exe
Token: SeDebugPrivilege	4400	SearchApp.exe
Token: SeDebugPrivilege	976	SearchApp.exe
Token: SeDebugPrivilege	5048	SearchApp.exe
Token: SeDebugPrivilege	1552	SearchApp.exe
Token: SeDebugPrivilege	1976	SearchApp.exe
Token: SeDebugPrivilege	3256	SearchApp.exe
Token: SeDebugPrivilege	5032	SearchApp.exe
Token: SeDebugPrivilege	1624	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2188	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	117
PID 5036 wrote to memory of 2188	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	117
PID 5036 wrote to memory of 2188	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	117
PID 2188 wrote to memory of 4008	2188	tmpA615.tmp.exe	119
PID 2188 wrote to memory of 4008	2188	tmpA615.tmp.exe	119
PID 2188 wrote to memory of 4008	2188	tmpA615.tmp.exe	119
PID 2188 wrote to memory of 4008	2188	tmpA615.tmp.exe	119
PID 2188 wrote to memory of 4008	2188	tmpA615.tmp.exe	119
PID 2188 wrote to memory of 4008	2188	tmpA615.tmp.exe	119
PID 2188 wrote to memory of 4008	2188	tmpA615.tmp.exe	119
PID 5036 wrote to memory of 3236	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	126
PID 5036 wrote to memory of 3236	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	126
PID 5036 wrote to memory of 4276	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	127
PID 5036 wrote to memory of 4276	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	127
PID 5036 wrote to memory of 4344	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	128
PID 5036 wrote to memory of 4344	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	128
PID 5036 wrote to memory of 4360	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	129
PID 5036 wrote to memory of 4360	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	129
PID 5036 wrote to memory of 4396	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	130
PID 5036 wrote to memory of 4396	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	130
PID 5036 wrote to memory of 2544	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	132
PID 5036 wrote to memory of 2544	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	132
PID 5036 wrote to memory of 4808	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	133
PID 5036 wrote to memory of 4808	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	133
PID 5036 wrote to memory of 3436	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	134
PID 5036 wrote to memory of 3436	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	134
PID 5036 wrote to memory of 2256	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	135
PID 5036 wrote to memory of 2256	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	135
PID 5036 wrote to memory of 4024	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	136
PID 5036 wrote to memory of 4024	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	136
PID 5036 wrote to memory of 4176	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	137
PID 5036 wrote to memory of 4176	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	137
PID 5036 wrote to memory of 640	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	147
PID 5036 wrote to memory of 640	5036	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe	147
PID 640 wrote to memory of 872	640	cmd.exe	150
PID 640 wrote to memory of 872	640	cmd.exe	150
PID 640 wrote to memory of 2176	640	cmd.exe	158
PID 640 wrote to memory of 2176	640	cmd.exe	158
PID 2176 wrote to memory of 3764	2176	SearchApp.exe	160
PID 2176 wrote to memory of 3764	2176	SearchApp.exe	160
PID 2176 wrote to memory of 2544	2176	SearchApp.exe	161
PID 2176 wrote to memory of 2544	2176	SearchApp.exe	161
PID 2176 wrote to memory of 4244	2176	SearchApp.exe	162
PID 2176 wrote to memory of 4244	2176	SearchApp.exe	162
PID 2176 wrote to memory of 4244	2176	SearchApp.exe	162
PID 4244 wrote to memory of 4800	4244	tmpE03E.tmp.exe	164
PID 4244 wrote to memory of 4800	4244	tmpE03E.tmp.exe	164
PID 4244 wrote to memory of 4800	4244	tmpE03E.tmp.exe	164
PID 4244 wrote to memory of 4800	4244	tmpE03E.tmp.exe	164
PID 4244 wrote to memory of 4800	4244	tmpE03E.tmp.exe	164
PID 4244 wrote to memory of 4800	4244	tmpE03E.tmp.exe	164
PID 4244 wrote to memory of 4800	4244	tmpE03E.tmp.exe	164
PID 3764 wrote to memory of 1896	3764	WScript.exe	167
PID 3764 wrote to memory of 1896	3764	WScript.exe	167
PID 1896 wrote to memory of 3044	1896	SearchApp.exe	169
PID 1896 wrote to memory of 3044	1896	SearchApp.exe	169
PID 1896 wrote to memory of 4640	1896	SearchApp.exe	170
PID 1896 wrote to memory of 4640	1896	SearchApp.exe	170
PID 1896 wrote to memory of 3316	1896	SearchApp.exe	174
PID 1896 wrote to memory of 3316	1896	SearchApp.exe	174
PID 1896 wrote to memory of 3316	1896	SearchApp.exe	174
PID 3316 wrote to memory of 5084	3316	tmp10C4.tmp.exe	176
PID 3316 wrote to memory of 5084	3316	tmp10C4.tmp.exe	176
PID 3316 wrote to memory of 5084	3316	tmp10C4.tmp.exe	176

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe
"C:\Users\Admin\AppData\Local\Temp\7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5036
- C:\Users\Admin\AppData\Local\Temp\tmpA615.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA615.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\tmpA615.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpA615.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kysjy9LHC3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:872
- - C:\Recovery\WindowsRE\SearchApp.exe
    "C:\Recovery\WindowsRE\SearchApp.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2176
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d2f23ea-cb1c-4b55-99e7-d0e46b7102ba.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1896
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ea6c4a3-f0f3-43d8-848b-01a442639a13.vbs"
        6⤵
        
        PID:3044
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb2fef1d-633c-4ca2-974d-74d777f0e164.vbs"
        8⤵
        
        PID:3776
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\773b8e28-ff11-4825-9d28-f477349634ea.vbs"
        10⤵
        
        PID:3192
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1735e953-68a8-4bb0-98d5-21f601608dd5.vbs"
        12⤵
        
        PID:2064
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4662d5b-b901-4a34-aa6a-f72b606381d6.vbs"
        14⤵
        
        PID:464
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30a9b607-cbdb-48bb-aec8-b784872dda7d.vbs"
        16⤵
        
        PID:1736
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50dbfc27-aebc-473b-9c35-0db12cf66994.vbs"
        18⤵
        
        PID:4840
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\801ce2f3-9822-44f3-a3f8-817adbf10e50.vbs"
        20⤵
        
        PID:4460
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a4686a1-49f9-447d-b7ec-55796b57e7aa.vbs"
        22⤵
        
        PID:4976
        
        C:\Recovery\WindowsRE\SearchApp.exe
        
        C:\Recovery\WindowsRE\SearchApp.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21565445-8bbb-41b4-91e1-7a862ea42b21.vbs"
        22⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp5857.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5857.tmp.exe"
        22⤵
        
        PID:4476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c8daaae-16bf-4326-99fd-59b72bf1f265.vbs"
        20⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp28EB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp28EB.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp28EB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp28EB.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:3344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ee16ca7-d7e5-4dd4-a862-e2fd603a12f0.vbs"
        18⤵
        
        PID:4100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2d2be9c-7453-4f7a-99cd-b4bb843d2fe9.vbs"
        16⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmpDAEA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDAEA.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmpDAEA.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpDAEA.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1485f3fb-e7d5-4ae2-9abe-4f4da9881a5c.vbs"
        14⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmpBE79.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBE79.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmpBE79.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpBE79.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85ffc6af-987c-42ea-81e7-8a1a05be3291.vbs"
        12⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp8E31.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8E31.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp8E31.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8E31.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c1709f1-306d-44bc-8044-d829a067b681.vbs"
        10⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp71D0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp71D0.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp71D0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp71D0.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf7789c8-e857-420e-b5f5-cd364aa586da.vbs"
        8⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp4253.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4253.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp4253.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4253.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:1976
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93ee8024-3ab8-4756-8538-c72e400669f7.vbs"
        6⤵
        
        PID:4640
      - C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp10C4.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:3392
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5be997cb-ad29-4250-b715-9325557e3abe.vbs"
      4⤵
      PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\tmpE03E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE03E.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\tmpE03E.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpE03E.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N7" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N" /sc ONLOGON /tr "'C:\Users\Public\Music\7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N7" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RCXB9F6.tmp

Filesize
4.9MB

MD5
5dfb3579055c31f69cf5f9d3bac95c82

SHA1
86c25ccfbda74ffcba2f5e006bd83be309df7531

SHA256
934952774d45914146cef73a4a02b56f16bdbf39ecd34039d3c0f8e03b58f885

SHA512
73e965b8828d642b467006e0f89d5dcc17bbbdc67c25e5c34154a97b809cd66835cbc311625e113b6fff910d9011de2545bd45bfe034de97979103c8e715e6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1735e953-68a8-4bb0-98d5-21f601608dd5.vbs

Filesize
710B

MD5
95bbadae8942ed4b678a0e1c27850de1

SHA1
6a3ba00c049e4975e7700da6b9c3fadaf4232de2

SHA256
aea75dc392d71f5cefae1200c5b19f41d7d3dcb43955998cfafc9f2cdf3a92e5

SHA512
f2b46d1d5aed3593b4bc1fe38d97672ba721ec33d84902827e84889285b22980ab933ed3cc43382a83544c4bbcf4694c5ccc88c8115da93c1d17b518a9c95a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\30a9b607-cbdb-48bb-aec8-b784872dda7d.vbs

Filesize
711B

MD5
81504097290deff783b8b0f821245e85

SHA1
482fcd4411dfcc5d6450fa3e65f251c819a88e06

SHA256
ab045735fb079c2a4dbd1c69f44f2fd6b5eb034ec6aa387c40696ab2b0db5692

SHA512
0d0f8940ffeb6f6e7eb435c655fda8d474cfaba1595f0ff6f5cfc91435ccf98886daae0699fe2950dc15b4ab5f3ebc4410daefeb71d4571a18ca539737aa2ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5be997cb-ad29-4250-b715-9325557e3abe.vbs

Filesize
487B

MD5
e406eb5b9f764b4d4e75728bce134e19

SHA1
6504fbf2fc57b10dff455d77fab5a6bd52a540d7

SHA256
7075d1677369be57d1afafbf457a8d0c5bdbd33e110c70c5cb50e9b07891bb59

SHA512
31052f6bc23456417a8812742afe07aad2e522fa450ccc259951868a499e67c9ac2c339df26c694a0a70f75bb148ceeecbaab2a15926e0708d90e9c65b47eea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ea6c4a3-f0f3-43d8-848b-01a442639a13.vbs

Filesize
711B

MD5
a9013bd73aa357f602946bff1af19fef

SHA1
262910a917f80422725469094517b560f2cec536

SHA256
e2b56dd1eb048962dbd990323206428aea10d998ddb2e6c815403f04fa7fe57a

SHA512
44a8e1f832faab52b7bfc165960ced3a0c8d102ee5b68f8e62764cc4ac1890a496885c5e262c4e23f6be62f3e17fafd44d8e91b447d64c2004d0d89598b32c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\773b8e28-ff11-4825-9d28-f477349634ea.vbs

Filesize
711B

MD5
162a0089878bc4282de1e8cfd6129869

SHA1
0a391c8effd4bf64d478a7382bb56fcfa3378a9c

SHA256
672cc4d11987536018ff7703450afa4bffb5f42a26100195cb21988c9635675f

SHA512
bc5cae195393b867d9b01827560324d992abe3b5fd51068e9b198b964ba10d759a29e603ff3daa1986668de31d4f9187ccc5df7b8331c8654e3f3787bf04a436

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d2f23ea-cb1c-4b55-99e7-d0e46b7102ba.vbs

Filesize
711B

MD5
a88922718a7ea38eabe22543c37430f1

SHA1
8d6d8ed244a4c27eb8a05c9a357800d7eb1b1378

SHA256
3ab0dcea8de0b4063be1ec68fbca4fb27ca45d9ddb6365d1bf3284c20fa0b066

SHA512
27615acf5585cd399e8d0832ddf8dedcc733c89a4b4da4b85baa7f618a1cd83c4bc867b4c58677a80cc1e86cf9b37869c4b81e258549d3f4abc78356d0c0f9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kysjy9LHC3.bat

Filesize
200B

MD5
0636d5009cfd061eda80e58ac27ba548

SHA1
5638eaaa4ec54275f2b015e8ee0d3624b60c0e97

SHA256
1480d0d99c1dd54e6abc55116c0915c7fe0bf8f79ae5195c83411d9df52b1d82

SHA512
6d592acf1d039df8e65a89c20978c4f0d0cdc8c3da76f2013668a2da743422bedde55363fe6c80c2e19254649cfc16eaf4d5ca6c8cb5c843b15ce7641995132e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jkrhpoet.qqm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4662d5b-b901-4a34-aa6a-f72b606381d6.vbs

Filesize
711B

MD5
61e199db6cd2af8e13afb71297309e73

SHA1
0a020f5103aa25a36f02d3a5c8e515565db66c2a

SHA256
62412134080c272f0e220f2fb90629e6ecea82d9c337918fa6f1b1bf90b63b98

SHA512
d145466a6fa4c1340df4aa9f6f6b7ba7b8f9612296796ab906085c718362204d5c4a3c8fefaee6e5fecc653044ca3636c07ab4435f80322779f02206c24b50ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb2fef1d-633c-4ca2-974d-74d777f0e164.vbs

Filesize
710B

MD5
e4c2c6ea00c12791fefe74213144bc48

SHA1
e7310775d40a17e992a6c5e38794bf6bc916c28d

SHA256
4fe8f870e4f304c3f2ac6494b696f7f66dc6225a79e028f9f450672459e4ab44

SHA512
fc734da60e75f70008d84ea5e57cff2548addedce3434fedc2f3ceff8280a95d15f176d505ec6bd4be699cf784fb0314a5670d910b0966ee64bd5d6b0a6f76e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA615.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Windows\uk-UA\RuntimeBroker.exe

Filesize
4.9MB

MD5
84c3e32da77210eb29452816fe3d4830

SHA1
073ef3fe85c0ec68ad52c88c76644a8c2a4c0411

SHA256
7e60f1b37aecfc21c61c46b534862a212af62ad8ce5b9af83ba9d8f4f32f5a81

SHA512
d094bdaa1fe2c53ee7e955be38e295fbb09c7138865fa095aa2441d4b6faa49aa3773746e9f1e9e35677f7bb84dfec24e8525bdd774fdbe2e8b1867445294692

Download Submit
memory/976-363-0x000000001C010000-0x000000001C022000-memory.dmp

Filesize
72KB

Download
memory/1552-410-0x000000001B510000-0x000000001B522000-memory.dmp

Filesize
72KB

Download
memory/4008-67-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4276-146-0x0000013DE0340000-0x0000013DE0362000-memory.dmp

Filesize
136KB

Download
memory/5036-11-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/5036-6-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/5036-136-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-13-0x00000000027E0000-0x00000000027EA000-memory.dmp

Filesize
40KB

Download
memory/5036-14-0x00000000027F0000-0x00000000027FE000-memory.dmp

Filesize
56KB

Download
memory/5036-15-0x000000001B330000-0x000000001B33E000-memory.dmp

Filesize
56KB

Download
memory/5036-12-0x000000001C120000-0x000000001C648000-memory.dmp

Filesize
5.2MB

Download
memory/5036-16-0x000000001B340000-0x000000001B348000-memory.dmp

Filesize
32KB

Download
memory/5036-10-0x00000000027C0000-0x00000000027CA000-memory.dmp

Filesize
40KB

Download
memory/5036-18-0x000000001B360000-0x000000001B36C000-memory.dmp

Filesize
48KB

Download
memory/5036-9-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/5036-8-0x0000000002790000-0x00000000027A6000-memory.dmp

Filesize
88KB

Download
memory/5036-7-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/5036-5-0x000000001B2E0000-0x000000001B330000-memory.dmp

Filesize
320KB

Download
memory/5036-4-0x0000000000D60000-0x0000000000D7C000-memory.dmp

Filesize
112KB

Download
memory/5036-17-0x000000001B350000-0x000000001B358000-memory.dmp

Filesize
32KB

Download
memory/5036-2-0x00007FF97C100000-0x00007FF97CBC1000-memory.dmp

Filesize
10.8MB

Download
memory/5036-3-0x000000001B4C0000-0x000000001B5EE000-memory.dmp

Filesize
1.2MB

Download
memory/5036-0-0x00007FF97C103000-0x00007FF97C105000-memory.dmp

Filesize
8KB

Download
memory/5036-1-0x0000000000010000-0x0000000000504000-memory.dmp

Filesize
5.0MB

Download