83fd2015a5499a8c2703d91aa047d0f099b85e8aa5ef9f2643a4eda4144a8772

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe

Disables Task Manager via registry modification
defense_evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	EofbViOjFpRS7hffLQht17dTG.exe

Executes dropped EXE 1 IoCs

pid	Process
3876	EofbViOjFpRS7hffLQht17dTG.exe

Windows security modification 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yi6joqUAg7OgBVikeHphsRKKG = "C:\\Windows\\system32\\n0OUC3BcrHzDMVyBPrplO7fOy\\EofbViOjFpRS7hffLQht17dTG.exe"	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
File opened for modification	C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
848	timeout.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1192	ipconfig.exe
4184	ipconfig.exe
4188	ipconfig.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
388	schtasks.exe
3636	schtasks.exe
2668	schtasks.exe
2612	schtasks.exe
1016	schtasks.exe
2568	schtasks.exe
3544	schtasks.exe
1716	schtasks.exe
1936	schtasks.exe
3444	schtasks.exe
848	schtasks.exe
4980	schtasks.exe
1284	schtasks.exe
1436	schtasks.exe
8	schtasks.exe
2860	schtasks.exe
4340	schtasks.exe
1952	schtasks.exe
4428	schtasks.exe
1424	schtasks.exe
2540	schtasks.exe
1244	schtasks.exe
4588	schtasks.exe
4420	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3876	EofbViOjFpRS7hffLQht17dTG.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3316	powershell.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
Token: SeDebugPrivilege	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeBackupPrivilege	1168	vssvc.exe
Token: SeRestorePrivilege	1168	vssvc.exe
Token: SeAuditPrivilege	1168	vssvc.exe
Token: SeDebugPrivilege	3876	EofbViOjFpRS7hffLQht17dTG.exe
Token: SeDebugPrivilege	3876	EofbViOjFpRS7hffLQht17dTG.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 1192	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe	86
PID 3108 wrote to memory of 1192	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe	86
PID 3108 wrote to memory of 3316	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe	89
PID 3108 wrote to memory of 3316	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe	89
PID 3108 wrote to memory of 2860	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe	97
PID 3108 wrote to memory of 2860	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe	97
PID 3108 wrote to memory of 3876	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe	99
PID 3108 wrote to memory of 3876	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe	99
PID 3108 wrote to memory of 4584	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe	100
PID 3108 wrote to memory of 4584	3108	6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe	100
PID 4584 wrote to memory of 848	4584	cmd.exe	102
PID 4584 wrote to memory of 848	4584	cmd.exe	102
PID 3876 wrote to memory of 4184	3876	EofbViOjFpRS7hffLQht17dTG.exe	103
PID 3876 wrote to memory of 4184	3876	EofbViOjFpRS7hffLQht17dTG.exe	103
PID 3876 wrote to memory of 4188	3876	EofbViOjFpRS7hffLQht17dTG.exe	106
PID 3876 wrote to memory of 4188	3876	EofbViOjFpRS7hffLQht17dTG.exe	106
PID 3876 wrote to memory of 2540	3876	EofbViOjFpRS7hffLQht17dTG.exe	111
PID 3876 wrote to memory of 2540	3876	EofbViOjFpRS7hffLQht17dTG.exe	111
PID 3876 wrote to memory of 1244	3876	EofbViOjFpRS7hffLQht17dTG.exe	113
PID 3876 wrote to memory of 1244	3876	EofbViOjFpRS7hffLQht17dTG.exe	113
PID 3876 wrote to memory of 1716	3876	EofbViOjFpRS7hffLQht17dTG.exe	115
PID 3876 wrote to memory of 1716	3876	EofbViOjFpRS7hffLQht17dTG.exe	115
PID 3876 wrote to memory of 4340	3876	EofbViOjFpRS7hffLQht17dTG.exe	118
PID 3876 wrote to memory of 4340	3876	EofbViOjFpRS7hffLQht17dTG.exe	118
PID 3876 wrote to memory of 4588	3876	EofbViOjFpRS7hffLQht17dTG.exe	124
PID 3876 wrote to memory of 4588	3876	EofbViOjFpRS7hffLQht17dTG.exe	124
PID 3876 wrote to memory of 1936	3876	EofbViOjFpRS7hffLQht17dTG.exe	126
PID 3876 wrote to memory of 1936	3876	EofbViOjFpRS7hffLQht17dTG.exe	126
PID 3876 wrote to memory of 3444	3876	EofbViOjFpRS7hffLQht17dTG.exe	132
PID 3876 wrote to memory of 3444	3876	EofbViOjFpRS7hffLQht17dTG.exe	132
PID 3876 wrote to memory of 1952	3876	EofbViOjFpRS7hffLQht17dTG.exe	134
PID 3876 wrote to memory of 1952	3876	EofbViOjFpRS7hffLQht17dTG.exe	134
PID 3876 wrote to memory of 388	3876	EofbViOjFpRS7hffLQht17dTG.exe	136
PID 3876 wrote to memory of 388	3876	EofbViOjFpRS7hffLQht17dTG.exe	136
PID 3876 wrote to memory of 3636	3876	EofbViOjFpRS7hffLQht17dTG.exe	138
PID 3876 wrote to memory of 3636	3876	EofbViOjFpRS7hffLQht17dTG.exe	138
PID 3876 wrote to memory of 4428	3876	EofbViOjFpRS7hffLQht17dTG.exe	140
PID 3876 wrote to memory of 4428	3876	EofbViOjFpRS7hffLQht17dTG.exe	140
PID 3876 wrote to memory of 4420	3876	EofbViOjFpRS7hffLQht17dTG.exe	143
PID 3876 wrote to memory of 4420	3876	EofbViOjFpRS7hffLQht17dTG.exe	143
PID 3876 wrote to memory of 848	3876	EofbViOjFpRS7hffLQht17dTG.exe	145
PID 3876 wrote to memory of 848	3876	EofbViOjFpRS7hffLQht17dTG.exe	145
PID 3876 wrote to memory of 2668	3876	EofbViOjFpRS7hffLQht17dTG.exe	147
PID 3876 wrote to memory of 2668	3876	EofbViOjFpRS7hffLQht17dTG.exe	147
PID 3876 wrote to memory of 2612	3876	EofbViOjFpRS7hffLQht17dTG.exe	149
PID 3876 wrote to memory of 2612	3876	EofbViOjFpRS7hffLQht17dTG.exe	149
PID 3876 wrote to memory of 1016	3876	EofbViOjFpRS7hffLQht17dTG.exe	151
PID 3876 wrote to memory of 1016	3876	EofbViOjFpRS7hffLQht17dTG.exe	151
PID 3876 wrote to memory of 2568	3876	EofbViOjFpRS7hffLQht17dTG.exe	153
PID 3876 wrote to memory of 2568	3876	EofbViOjFpRS7hffLQht17dTG.exe	153
PID 3876 wrote to memory of 4980	3876	EofbViOjFpRS7hffLQht17dTG.exe	155
PID 3876 wrote to memory of 4980	3876	EofbViOjFpRS7hffLQht17dTG.exe	155
PID 3876 wrote to memory of 1424	3876	EofbViOjFpRS7hffLQht17dTG.exe	157
PID 3876 wrote to memory of 1424	3876	EofbViOjFpRS7hffLQht17dTG.exe	157
PID 3876 wrote to memory of 1284	3876	EofbViOjFpRS7hffLQht17dTG.exe	159
PID 3876 wrote to memory of 1284	3876	EofbViOjFpRS7hffLQht17dTG.exe	159
PID 3876 wrote to memory of 1436	3876	EofbViOjFpRS7hffLQht17dTG.exe	161
PID 3876 wrote to memory of 1436	3876	EofbViOjFpRS7hffLQht17dTG.exe	161
PID 3876 wrote to memory of 3544	3876	EofbViOjFpRS7hffLQht17dTG.exe	163
PID 3876 wrote to memory of 3544	3876	EofbViOjFpRS7hffLQht17dTG.exe	163
PID 3876 wrote to memory of 8	3876	EofbViOjFpRS7hffLQht17dTG.exe	165
PID 3876 wrote to memory of 8	3876	EofbViOjFpRS7hffLQht17dTG.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe
"C:\Users\Admin\AppData\Local\Temp\6aa340437e5bb3c895cbef7775c0694b2fa44692f995e85a64dca6e8f0e250c2.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Disables RegEdit via registry modification
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\System32\ipconfig.exe
  "C:\Windows\System32\ipconfig.exe" /release
  2⤵
  - Gathers network information
  PID:1192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2860
- C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe
  "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\System32\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /release
    3⤵
    - Gathers network information
    PID:4184
- - C:\Windows\System32\ipconfig.exe
    "C:\Windows\System32\ipconfig.exe" /renew
    3⤵
    - Gathers network information
    PID:4188
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2540
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1244
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1716
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4340
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:08 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4588
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:09 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1936
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:09 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3444
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:09 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1952
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:09 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:388
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:09 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3636
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:09 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4428
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:09 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4420
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:09 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:848
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:09 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2668
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:09 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2612
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:10 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1016
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:10 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2568
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:10 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4980
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:10 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1424
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:10 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1284
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:10 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1436
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:10 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3544
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks.exe" /create /tn Yi6joqUAg7OgBVikeHphsRKKG /tr "C:\Windows\system32\n0OUC3BcrHzDMVyBPrplO7fOy\EofbViOjFpRS7hffLQht17dTG.exe" /st 08:10 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB5B3.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\system32\timeout.exe
    timeout 6
    3⤵
    - Delays execution with timeout.exe
    PID:848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry