asyncrat | a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\NortonInstaller.exe\""	NortonInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\EdgeBrowser.exe\""	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe\""	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\Documents\\EpicGames Service.exe\""	EpicGames Service.exe

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe

Windows security bypass 2 TTPs 9 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe = "0"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EpicGames Service.exe = "0"	EpicGames Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2908-269-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2908-258-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2908-361-0x000000000040D0DE-mapping.dmp	asyncrat

Executes dropped EXE 7 IoCs

pid	Process
1916	Licens modul.exe
1928	EpicGames Service.exe
1328	Firefoxinstaller.exe
1632	NortonInstaller.exe
536	EdgeBrowser.exe
1900	WD+UAC.exe
428	Minecraft Checker v0.1.exe

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe	EdgeBrowser.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe	EpicGames Service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe	EpicGames Service.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe	NortonInstaller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe	NortonInstaller.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe	Firefoxinstaller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe	Firefoxinstaller.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe	EdgeBrowser.exe

Loads dropped DLL 14 IoCs

pid	Process
1632	NortonInstaller.exe
1632	NortonInstaller.exe
1328	Firefoxinstaller.exe
1328	Firefoxinstaller.exe
1632	NortonInstaller.exe
1328	Firefoxinstaller.exe
428	Minecraft Checker v0.1.exe
428	Minecraft Checker v0.1.exe
428	Minecraft Checker v0.1.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe
1508	WerFault.exe

Windows security modification 2 TTPs 10 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe = "0"	EpicGames Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe = "0"	EdgeBrowser.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\NortonInstaller.exe = "0"	NortonInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\Firefoxinstaller.exe = "0"	Firefoxinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\EpicGames Service.exe = "0"	EpicGames Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	Firefoxinstaller.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NortonInstaller.exe = "C:\\Users\\Admin\\Documents\\NortonInstaller.exe"	NortonInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\EdgeBrowser.exe = "C:\\Users\\Admin\\Documents\\EdgeBrowser.exe"	EdgeBrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Firefoxinstaller.exe = "C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe"	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\EpicGames Service.exe = "C:\\Users\\Admin\\Documents\\EpicGames Service.exe"	EpicGames Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\NortonInstaller.exe"	NortonInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\EpicGames Service.exe"	EpicGames Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\Firefoxinstaller.exe"	Firefoxinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\Documents\\EdgeBrowser.exe"	EdgeBrowser.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WD+UAC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1508	1900	WerFault.exe	32
2912	1916	WerFault.exe	27
1060	1328	WerFault.exe	29
2336	1928	WerFault.exe	28

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2072	schtasks.exe
2532	schtasks.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
2644	timeout.exe
2656	timeout.exe
2504	timeout.exe
2676	timeout.exe
2504	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Licens modul.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Licens modul.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Licens modul.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Licens modul.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe
1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe
1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe
1580	powershell.exe
1332	powershell.exe
1084	powershell.exe
1748	powershell.exe
1276	powershell.exe
1912	powershell.exe
1696	powershell.exe
1892	powershell.exe
1360	powershell.exe
944	powershell.exe
2140	powershell.exe
2204	powershell.exe
888	powershell.exe
2056	powershell.exe
2152	powershell.exe
2184	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe
Token: SeDebugPrivilege	1916	Licens modul.exe
Token: SeDebugPrivilege	536	EdgeBrowser.exe
Token: SeDebugPrivilege	1632	NortonInstaller.exe
Token: SeDebugPrivilege	1928	EpicGames Service.exe
Token: SeDebugPrivilege	1328	Firefoxinstaller.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 1916	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	27
PID 1028 wrote to memory of 1916	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	27
PID 1028 wrote to memory of 1916	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	27
PID 1028 wrote to memory of 1916	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	27
PID 1028 wrote to memory of 1928	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	28
PID 1028 wrote to memory of 1928	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	28
PID 1028 wrote to memory of 1928	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	28
PID 1028 wrote to memory of 1928	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	28
PID 1028 wrote to memory of 1328	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	29
PID 1028 wrote to memory of 1328	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	29
PID 1028 wrote to memory of 1328	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	29
PID 1028 wrote to memory of 1328	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	29
PID 1028 wrote to memory of 1328	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	29
PID 1028 wrote to memory of 1328	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	29
PID 1028 wrote to memory of 1328	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	29
PID 1028 wrote to memory of 1632	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	30
PID 1028 wrote to memory of 1632	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	30
PID 1028 wrote to memory of 1632	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	30
PID 1028 wrote to memory of 1632	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	30
PID 1028 wrote to memory of 1632	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	30
PID 1028 wrote to memory of 1632	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	30
PID 1028 wrote to memory of 1632	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	30
PID 1028 wrote to memory of 536	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	31
PID 1028 wrote to memory of 536	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	31
PID 1028 wrote to memory of 536	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	31
PID 1028 wrote to memory of 536	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	31
PID 1028 wrote to memory of 1900	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	32
PID 1028 wrote to memory of 1900	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	32
PID 1028 wrote to memory of 1900	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	32
PID 1028 wrote to memory of 1900	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	32
PID 1028 wrote to memory of 428	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	33
PID 1028 wrote to memory of 428	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	33
PID 1028 wrote to memory of 428	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	33
PID 1028 wrote to memory of 428	1028	a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe	33
PID 1900 wrote to memory of 1508	1900	WD+UAC.exe	34
PID 1900 wrote to memory of 1508	1900	WD+UAC.exe	34
PID 1900 wrote to memory of 1508	1900	WD+UAC.exe	34
PID 1900 wrote to memory of 1508	1900	WD+UAC.exe	34
PID 536 wrote to memory of 1276	536	EdgeBrowser.exe	38
PID 536 wrote to memory of 1276	536	EdgeBrowser.exe	38
PID 536 wrote to memory of 1276	536	EdgeBrowser.exe	38
PID 536 wrote to memory of 1276	536	EdgeBrowser.exe	38
PID 1928 wrote to memory of 1580	1928	EpicGames Service.exe	37
PID 1928 wrote to memory of 1580	1928	EpicGames Service.exe	37
PID 1928 wrote to memory of 1580	1928	EpicGames Service.exe	37
PID 1928 wrote to memory of 1580	1928	EpicGames Service.exe	37
PID 1328 wrote to memory of 1748	1328	Firefoxinstaller.exe	35
PID 1328 wrote to memory of 1748	1328	Firefoxinstaller.exe	35
PID 1328 wrote to memory of 1748	1328	Firefoxinstaller.exe	35
PID 1328 wrote to memory of 1748	1328	Firefoxinstaller.exe	35
PID 1328 wrote to memory of 1748	1328	Firefoxinstaller.exe	35
PID 1328 wrote to memory of 1748	1328	Firefoxinstaller.exe	35
PID 1328 wrote to memory of 1748	1328	Firefoxinstaller.exe	35
PID 1632 wrote to memory of 1360	1632	NortonInstaller.exe	39
PID 1632 wrote to memory of 1360	1632	NortonInstaller.exe	39
PID 1632 wrote to memory of 1360	1632	NortonInstaller.exe	39
PID 1632 wrote to memory of 1360	1632	NortonInstaller.exe	39
PID 1632 wrote to memory of 1360	1632	NortonInstaller.exe	39
PID 1632 wrote to memory of 1360	1632	NortonInstaller.exe	39
PID 1632 wrote to memory of 1360	1632	NortonInstaller.exe	39
PID 1928 wrote to memory of 1912	1928	EpicGames Service.exe	44
PID 1928 wrote to memory of 1912	1928	EpicGames Service.exe	44
PID 1928 wrote to memory of 1912	1928	EpicGames Service.exe	44
PID 1928 wrote to memory of 1912	1928	EpicGames Service.exe	44

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WD+UAC.exe

C:\Users\Admin\AppData\Local\Temp\a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe
"C:\Users\Admin\AppData\Local\Temp\a29f7b2deaf61c8a5bae8098a5fc6a695521828f9b46d8bf123a29b1232ec2d8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\Documents\Licens modul.exe
  "C:\Users\Admin\Documents\Licens modul.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1748
    3⤵
    - Program crash
    PID:2912
- C:\Users\Admin\Documents\EpicGames Service.exe
  "C:\Users\Admin\Documents\EpicGames Service.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Windows security bypass
  - Executes dropped EXE
  - Drops startup file
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EpicGames Service.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EpicGames Service.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:2976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:2644
- - C:\Users\Admin\Documents\EpicGames Service.exe
    "C:\Users\Admin\Documents\EpicGames Service.exe"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1928
    3⤵
    - Program crash
    PID:2336
- C:\Users\Admin\Documents\Firefoxinstaller.exe
  "C:\Users\Admin\Documents\Firefoxinstaller.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Windows security bypass
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefoxinstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\Firefoxinstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:2948
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:2676
- - C:\Users\Admin\Documents\Firefoxinstaller.exe
    "C:\Users\Admin\Documents\Firefoxinstaller.exe"
    3⤵
    PID:2312
  - - C:\Users\Admin\Documents\Firefoxinstaller.exe
      "C:\Users\Admin\Documents\Firefoxinstaller.exe"
      4⤵
      PID:2388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 1952
    3⤵
    - Program crash
    PID:1060
- C:\Users\Admin\Documents\NortonInstaller.exe
  "C:\Users\Admin\Documents\NortonInstaller.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Windows security bypass
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\NortonInstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NortonInstaller.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:2504
- - C:\Users\Admin\Documents\NortonInstaller.exe
    "C:\Users\Admin\Documents\NortonInstaller.exe"
    3⤵
    PID:808
- C:\Users\Admin\Documents\EdgeBrowser.exe
  "C:\Users\Admin\Documents\EdgeBrowser.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Windows security bypass
  - Executes dropped EXE
  - Drops startup file
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\EdgeBrowser.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:2656
- - C:\Users\Admin\Documents\EdgeBrowser.exe
    "C:\Users\Admin\Documents\EdgeBrowser.exe"
    3⤵
    PID:1588
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /tn NYAN /F
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn NYAN /tr "C:\Users\Admin\Documents\EdgeBrowser.exe" /sc minute /mo 1
      4⤵
      Creates scheduled task(s)
      PID:2532
  - - C:\Users\Admin\EdgeBrowser.exe
      "C:\Users\Admin\EdgeBrowser.exe"
      4⤵
      PID:2536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
        5⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
        5⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeBrowser.exe" -Force
        5⤵
        
        PID:2328
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\EdgeBrowser.exe" -Force
        5⤵
        
        PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        5⤵
        
        PID:328
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:2504
    - - C:\Users\Admin\EdgeBrowser.exe
        
        "C:\Users\Admin\EdgeBrowser.exe"
        5⤵
        
        PID:1872
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /tn NYAN /F
        6⤵
        
        PID:2128
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn NYAN /tr "C:\Users\Admin\EdgeBrowser.exe" /sc minute /mo 1
        6⤵
        Creates scheduled task(s)
        
        PID:2072
- C:\Users\Admin\AppData\Local\Temp\WD+UAC.exe
  "C:\Users\Admin\AppData\Local\Temp\WD+UAC.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 620
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1508
- C:\Users\Admin\AppData\Local\Temp\Minecraft Checker v0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Minecraft Checker v0.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Install Root Certificate

T1130

Modify Registry