dcrat | 4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354

Analysis

max time kernel
152s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 01:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Size

1.2MB
MD5

3b8b335babae9d4a73824efe54aa2148
SHA1

ebb36ea7e8702f50272952071c18f362b0888003
SHA256

4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354
SHA512

d110697dcfa249f71fe0b5097d83351285c3f4440d82aa39080d016e0202572b229612a2778aac34b26791aadfe0ce7c89b663ee2d2a83ef43bb7cf0c9fac83e
SSDEEP

24576:NR28aergLxCcjZGKCKFuTBHNWdd2HAxWnUDTJ/yS3Rh:TJaDKf4p4UD1v

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	1896	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5140	1896	schtasks.exe	93

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1888-0-0x0000000000F90000-0x00000000010CA000-memory.dmp	dcrat
behavioral2/files/0x0007000000023528-30.dat	dcrat
behavioral2/files/0x0008000000023534-179.dat	dcrat
behavioral2/memory/4636-181-0x00000000002F0000-0x000000000042A000-memory.dmp	dcrat

Detects executables containing bas64 encoded gzip files 4 IoCs

resource	yara_rule
behavioral2/memory/1888-0-0x0000000000F90000-0x00000000010CA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/files/0x0007000000023528-30.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/files/0x0008000000023534-179.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/memory/4636-181-0x00000000002F0000-0x000000000042A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Detects executables packed with SmartAssembly 7 IoCs

resource	yara_rule
behavioral2/memory/1888-6-0x0000000003390000-0x00000000033A0000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/1888-9-0x000000001BD40000-0x000000001BD4A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/1888-11-0x000000001BD00000-0x000000001BD0C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/1888-14-0x000000001BD50000-0x000000001BD5C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/1888-16-0x000000001C450000-0x000000001C45A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/1888-18-0x000000001C280000-0x000000001C28C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/1888-20-0x000000001C2A0000-0x000000001C2AA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe

Executes dropped EXE 9 IoCs

pid	Process
4636	backgroundTaskHost.exe
2064	backgroundTaskHost.exe
5216	backgroundTaskHost.exe
5668	backgroundTaskHost.exe
4704	backgroundTaskHost.exe
5640	backgroundTaskHost.exe
680	backgroundTaskHost.exe
5452	backgroundTaskHost.exe
5552	backgroundTaskHost.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\bg-BG\wininit.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Windows\System32\bg-BG\56085415360792	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Windows\System32\bg-BG\RCX6A57.tmp	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Windows\System32\bg-BG\wininit.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\eddb19405b7ce1	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX4D23.tmp	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX56EB.tmp	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\RCX6EDC.tmp	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files (x86)\Windows Sidebar\6203df4a6bafc7	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\eddb19405b7ce1	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files\Internet Explorer\es-ES\SearchApp.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\upfc.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCX8296.tmp	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX74E8.tmp	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\unsecapp.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\SearchApp.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files\WindowsPowerShell\RCX96BD.tmp	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files (x86)\Windows Sidebar\lsass.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\unsecapp.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\29c1c3cc0f7685	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\lsass.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files (x86)\Windows Mail\upfc.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files (x86)\Windows Mail\ea1d8f6d871115	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files\Internet Explorer\es-ES\38384e6a620884	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Ease of Access Themes\dllhost.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File created	C:\Windows\Resources\Ease of Access Themes\5940a34987c991	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCX5AD4.tmp	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\dllhost.exe	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3316	schtasks.exe
668	schtasks.exe
5080	schtasks.exe
1980	schtasks.exe
5044	schtasks.exe
740	schtasks.exe
3268	schtasks.exe
4920	schtasks.exe
1992	schtasks.exe
2716	schtasks.exe
3500	schtasks.exe
1052	schtasks.exe
3588	schtasks.exe
2672	schtasks.exe
3448	schtasks.exe
4748	schtasks.exe
1764	schtasks.exe
3752	schtasks.exe
4784	schtasks.exe
3292	schtasks.exe
3240	schtasks.exe
2260	schtasks.exe
5140	schtasks.exe
4468	schtasks.exe
4268	schtasks.exe
4496	schtasks.exe
4052	schtasks.exe
5080	schtasks.exe
1220	schtasks.exe
1600	schtasks.exe
3844	schtasks.exe
4148	schtasks.exe
4068	schtasks.exe
1956	schtasks.exe
2996	schtasks.exe
2320	schtasks.exe
4248	schtasks.exe
4656	schtasks.exe
5064	schtasks.exe
1816	schtasks.exe
684	schtasks.exe
1104	schtasks.exe
2900	schtasks.exe
1924	schtasks.exe
3276	schtasks.exe
3004	schtasks.exe
4892	schtasks.exe
3012	schtasks.exe
1616	schtasks.exe
1808	schtasks.exe
4776	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000_Classes\Local Settings	backgroundTaskHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Token: SeDebugPrivilege	4636	backgroundTaskHost.exe
Token: SeDebugPrivilege	2064	backgroundTaskHost.exe
Token: SeDebugPrivilege	5216	backgroundTaskHost.exe
Token: SeDebugPrivilege	5668	backgroundTaskHost.exe
Token: SeDebugPrivilege	4704	backgroundTaskHost.exe
Token: SeDebugPrivilege	5640	backgroundTaskHost.exe
Token: SeDebugPrivilege	680	backgroundTaskHost.exe
Token: SeDebugPrivilege	5452	backgroundTaskHost.exe
Token: SeDebugPrivilege	5552	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 5980	1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe	148
PID 1888 wrote to memory of 5980	1888	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe	148
PID 5980 wrote to memory of 6048	5980	cmd.exe	150
PID 5980 wrote to memory of 6048	5980	cmd.exe	150
PID 5980 wrote to memory of 4636	5980	cmd.exe	152
PID 5980 wrote to memory of 4636	5980	cmd.exe	152
PID 4636 wrote to memory of 1836	4636	backgroundTaskHost.exe	153
PID 4636 wrote to memory of 1836	4636	backgroundTaskHost.exe	153
PID 4636 wrote to memory of 1980	4636	backgroundTaskHost.exe	154
PID 4636 wrote to memory of 1980	4636	backgroundTaskHost.exe	154
PID 1836 wrote to memory of 2064	1836	WScript.exe	156
PID 1836 wrote to memory of 2064	1836	WScript.exe	156
PID 2064 wrote to memory of 2192	2064	backgroundTaskHost.exe	157
PID 2064 wrote to memory of 2192	2064	backgroundTaskHost.exe	157
PID 2064 wrote to memory of 4700	2064	backgroundTaskHost.exe	158
PID 2064 wrote to memory of 4700	2064	backgroundTaskHost.exe	158
PID 2192 wrote to memory of 5216	2192	WScript.exe	159
PID 2192 wrote to memory of 5216	2192	WScript.exe	159
PID 5216 wrote to memory of 1112	5216	backgroundTaskHost.exe	160
PID 5216 wrote to memory of 1112	5216	backgroundTaskHost.exe	160
PID 5216 wrote to memory of 224	5216	backgroundTaskHost.exe	161
PID 5216 wrote to memory of 224	5216	backgroundTaskHost.exe	161
PID 1112 wrote to memory of 5668	1112	WScript.exe	162
PID 1112 wrote to memory of 5668	1112	WScript.exe	162
PID 5668 wrote to memory of 1996	5668	backgroundTaskHost.exe	163
PID 5668 wrote to memory of 1996	5668	backgroundTaskHost.exe	163
PID 5668 wrote to memory of 5804	5668	backgroundTaskHost.exe	164
PID 5668 wrote to memory of 5804	5668	backgroundTaskHost.exe	164
PID 1996 wrote to memory of 4704	1996	WScript.exe	165
PID 1996 wrote to memory of 4704	1996	WScript.exe	165
PID 4704 wrote to memory of 1100	4704	backgroundTaskHost.exe	166
PID 4704 wrote to memory of 1100	4704	backgroundTaskHost.exe	166
PID 4704 wrote to memory of 5944	4704	backgroundTaskHost.exe	167
PID 4704 wrote to memory of 5944	4704	backgroundTaskHost.exe	167
PID 1100 wrote to memory of 5640	1100	WScript.exe	168
PID 1100 wrote to memory of 5640	1100	WScript.exe	168
PID 5640 wrote to memory of 2628	5640	backgroundTaskHost.exe	169
PID 5640 wrote to memory of 2628	5640	backgroundTaskHost.exe	169
PID 5640 wrote to memory of 5232	5640	backgroundTaskHost.exe	170
PID 5640 wrote to memory of 5232	5640	backgroundTaskHost.exe	170
PID 2628 wrote to memory of 680	2628	WScript.exe	171
PID 2628 wrote to memory of 680	2628	WScript.exe	171
PID 680 wrote to memory of 920	680	backgroundTaskHost.exe	172
PID 680 wrote to memory of 920	680	backgroundTaskHost.exe	172
PID 680 wrote to memory of 1956	680	backgroundTaskHost.exe	173
PID 680 wrote to memory of 1956	680	backgroundTaskHost.exe	173
PID 920 wrote to memory of 5452	920	WScript.exe	174
PID 920 wrote to memory of 5452	920	WScript.exe	174
PID 5452 wrote to memory of 5196	5452	backgroundTaskHost.exe	175
PID 5452 wrote to memory of 5196	5452	backgroundTaskHost.exe	175
PID 5452 wrote to memory of 4644	5452	backgroundTaskHost.exe	176
PID 5452 wrote to memory of 4644	5452	backgroundTaskHost.exe	176
PID 5196 wrote to memory of 5552	5196	WScript.exe	177
PID 5196 wrote to memory of 5552	5196	WScript.exe	177

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe
"C:\Users\Admin\AppData\Local\Temp\4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tVZYEU3dXH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5980
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:6048
- - C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe
    "C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4636
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad1e4c4b-8461-47a5-a97a-f088058030ea.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2064
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec1c4c39-4835-4fa3-aef2-bb2c0ca429b3.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cafd1b6-6016-47df-80b1-ac0ee0b5bdd7.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\832f930a-e58f-4914-8172-40a3519318e4.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbdfec4b-be12-4351-ba25-482872851bce.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15ef4998-30a4-43ef-b046-ba65b8ebc86b.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2da0e47b-9401-46fc-8bb7-9363ecd953cf.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c170451-3c60-45d7-8ca3-6b8b125c3506.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5196
        
        C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:5552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1696bab2-598a-41f8-ba89-526286f80dde.vbs"
        18⤵
        
        PID:4644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d04447fe-2860-4689-bc36-8ad857a11525.vbs"
        16⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9a7a233-e49b-4737-a4bd-000f742dc2d6.vbs"
        14⤵
        
        PID:5232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ebedbeb-f481-4df6-8bb6-1c60cae235a3.vbs"
        12⤵
        
        PID:5944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\307cc013-8d88-4f1e-93ce-8a220ed5e876.vbs"
        10⤵
        
        PID:5804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4a91d10-55ca-4bf9-b487-9c26b7dc4da9.vbs"
        8⤵
        
        PID:224
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18f64cea-3531-4153-b8dd-475de0e7c490.vbs"
        6⤵
        
        PID:4700
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a46bb8fb-a5a6-4fe1-9cd4-a2e00cd5e85b.vbs"
      4⤵
      PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4140,i,7593277344190429033,13055212002259797845,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:8
1⤵
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\bg-BG\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\bg-BG\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\bg-BG\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad9123544" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad9123544" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\es-ES\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\es-ES\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Java\Java Update\backgroundTaskHost.exe

Filesize
1.2MB

MD5
8119c60b47d7d4d2950d9aab7bdb2cf1

SHA1
5c54510aa0917a62aee1306f74ae3992363d2aa9

SHA256
95157693ebfa8e6eaaed080b692ca38601d99e4ac559defc7f2d03e52eb8f28e

SHA512
3fb7fd53c5b8ad77e8b9fbaf6bca800df094a24ffdd345a2cf50cdd9da8db08dc6872a7924eefc0f36a7f197a733763223e24f8dadd6d4c44b58928cd8810407

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.2MB

MD5
3b8b335babae9d4a73824efe54aa2148

SHA1
ebb36ea7e8702f50272952071c18f362b0888003

SHA256
4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354

SHA512
d110697dcfa249f71fe0b5097d83351285c3f4440d82aa39080d016e0202572b229612a2778aac34b26791aadfe0ce7c89b663ee2d2a83ef43bb7cf0c9fac83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c170451-3c60-45d7-8ca3-6b8b125c3506.vbs

Filesize
751B

MD5
b03525b47df9f07ff94ea51cebef53f0

SHA1
ea41c093e18a77af0b4642c2a6e741b2397d3e1b

SHA256
c48301a10ecc852a6a85bf6ec01934de211f25f91ebda91ee1b393cbe13c00b3

SHA512
b5aaa3ec6256db1c32504b0dc686a5ba67f90f44009b0be54641aa9a4979a8af5f31a63f760134b1e17116e6a2c35691a9530edefd2095276a1e1fe412d5f5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\15ef4998-30a4-43ef-b046-ba65b8ebc86b.vbs

Filesize
751B

MD5
8c17fe306d3db6a7f623f63ba42ec2be

SHA1
4465b194b95a7681e6ad42ba288386d09b183883

SHA256
9e038d8186fe935b0ec5cd5305a7f7ce6a803a50dc03e063562ad747b2717b72

SHA512
4d065603a0aad697c10f7e5c801ae34d6d85979192b32ef18118af5f6d06d60632dfd0e5a165c0e9136e3d148d854c451c41fc5d760b0bc3a5f6c0f092e788fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2da0e47b-9401-46fc-8bb7-9363ecd953cf.vbs

Filesize
750B

MD5
eb2fd8380f1cc6d529fddf2f777d1feb

SHA1
3ee8dacc65646bcbb0bfc1c54773a165e241ecef

SHA256
aeea131b11ada03f9cfce7314d3e08c7d5e7e2a7f44f1d7fbe1e14192fdb6b85

SHA512
aa8f97023156504e3d1a61c0f6d2b9d42524635e759c5869b739f56019c08ff0e38a5e5804e11ca75163038a62e22ee7af8a230843d4f3ddfcc17526544831de

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cafd1b6-6016-47df-80b1-ac0ee0b5bdd7.vbs

Filesize
751B

MD5
b7867b3393bd5fd4c91dc0e6ee0b8827

SHA1
42db28fc602a387f7c6c8305997574608df32cd8

SHA256
891f13d8a82028db6a4942373cf7a37eb2a84b9fbc8c76046a619aa0dc3273c3

SHA512
64184c146bec32e64ea15736d3bf2c3f9dba59749a67e71dde7f428616f90c900d35877df5f9aa5251c10e497e7a23d4827f4fdc9a0bc5fd93860e02ae520194

Download Submit
C:\Users\Admin\AppData\Local\Temp\832f930a-e58f-4914-8172-40a3519318e4.vbs

Filesize
751B

MD5
83b4d194bae751b73580ec05e4f901ee

SHA1
03da4e3555978a41c572a05e1278ab564eb3ffce

SHA256
3af346ec9ff3c6cb48a997f9b376e47fab3539f6aa0fd3dad3b08ddb5d0e6e71

SHA512
a61d0ea3f7c3a089f603665b3219af4049c3994c1ccc7b40acd351a296ffe678fcc9fb72c0fd768c3aa4a6ed23f2eb9335d55b6836c1be25aa5cbfb04456ba0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a46bb8fb-a5a6-4fe1-9cd4-a2e00cd5e85b.vbs

Filesize
527B

MD5
81bc869ba37a568f36d01d1e24b6cb3e

SHA1
3e8bdcca40c7f798f74f9a498232b9b8fc850682

SHA256
d9cd917c57be8c44cc5686b2e8981cf8422058c0d0085b362fd30c9793efbeb6

SHA512
7745daf67142b0a4ac77469849759748bd43f9a0d54036bf6fe7c618f3db12076d21d5cbc2744792304e209dddbb0f5d5f247babc6e0d505e15f0c1cbb6f24d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad1e4c4b-8461-47a5-a97a-f088058030ea.vbs

Filesize
751B

MD5
91ed26ac3ed9067257916225ed61bd87

SHA1
ac182ffbf8d9422fd6438ed6053b546f5e0e7837

SHA256
1177f215f7da6038c378e8ae9ee3b4df30b5ac63b0d58c00bf211a65dc21c2dc

SHA512
e89e3b14ac81de3d1767fb21ec309e80e2df8603c435b53cba76ca66bf5909364d4915da8a49f6765b99fd73bd0e5f03480af8b7536d9493b00e49146fc5adbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbdfec4b-be12-4351-ba25-482872851bce.vbs

Filesize
751B

MD5
2cb784c4ee887fd6a9aa33ee42263539

SHA1
dc5a9984629a7296ad9998b629f532d9e549625a

SHA256
267bc72c1ae6f23f694e4aa9e7a14a0ce86fb667e9f086bc7659b146244065d9

SHA512
50443d9cd4c06839912f1d5294a6176598eb061df029c98af6146c6e116e41a94542f9bb7040afae298e5e7da06ede043400e20a3959ce5a3ca51ee870c1aba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec1c4c39-4835-4fa3-aef2-bb2c0ca429b3.vbs

Filesize
751B

MD5
e94b69c34ba46d489b369b1c67fa8a36

SHA1
ff7c324dccb43f13e6b58f46987b007f3db97dff

SHA256
b23b7b0e78439984d26b89ff0d0d2bc318e7ffe2e36ca448c96df5abe518b0f2

SHA512
3eed0533a60d49d67bcded35c2e5dd7e8979b02ed890bea8884261791514edf42b66807e3dddf386c911f18536ac970b26bba732ffc1f78cb176d4455de89fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tVZYEU3dXH.bat

Filesize
240B

MD5
42bf8ff679bc5747f9203937d62bad94

SHA1
1e7d118a57b11b75002e39f64054e966045d6d37

SHA256
620fbfa925f74e80c66404498bb3ee4c073fd90e812eee12cb7c3c7afbc92826

SHA512
b33266df16d67a6b38f6d06a57c08469dcab6f3d46dc05738e323cea31cca0c3e155b2016ecd3dd80ad34f2ec67a55ba5f2814ab0b4d08044b424c0b9f9863a4

Download Submit
memory/680-265-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/680-266-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/680-277-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/1888-15-0x000000001C420000-0x000000001C428000-memory.dmp

Filesize
32KB

Download
memory/1888-0-0x0000000000F90000-0x00000000010CA000-memory.dmp

Filesize
1.2MB

Download
memory/1888-18-0x000000001C280000-0x000000001C28C000-memory.dmp

Filesize
48KB

Download
memory/1888-19-0x000000001C290000-0x000000001C298000-memory.dmp

Filesize
32KB

Download
memory/1888-20-0x000000001C2A0000-0x000000001C2AA000-memory.dmp

Filesize
40KB

Download
memory/1888-21-0x000000001C2B0000-0x000000001C2BC000-memory.dmp

Filesize
48KB

Download
memory/1888-6-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/1888-78-0x00007FFE6FFE0000-0x00007FFE70AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1888-109-0x000000001BC90000-0x000000001BCA0000-memory.dmp

Filesize
64KB

Download
memory/1888-16-0x000000001C450000-0x000000001C45A000-memory.dmp

Filesize
40KB

Download
memory/1888-177-0x00007FFE6FFE0000-0x00007FFE70AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1888-4-0x000000001C2C0000-0x000000001C310000-memory.dmp

Filesize
320KB

Download
memory/1888-3-0x0000000003370000-0x000000000338C000-memory.dmp

Filesize
112KB

Download
memory/1888-17-0x000000001C270000-0x000000001C27E000-memory.dmp

Filesize
56KB

Download
memory/1888-5-0x0000000003240000-0x0000000003248000-memory.dmp

Filesize
32KB

Download
memory/1888-14-0x000000001BD50000-0x000000001BD5C000-memory.dmp

Filesize
48KB

Download
memory/1888-13-0x000000001BD20000-0x000000001BD2C000-memory.dmp

Filesize
48KB

Download
memory/1888-12-0x000000001BD10000-0x000000001BD18000-memory.dmp

Filesize
32KB

Download
memory/1888-2-0x000000001BC90000-0x000000001BCA0000-memory.dmp

Filesize
64KB

Download
memory/1888-7-0x000000001BC70000-0x000000001BC86000-memory.dmp

Filesize
88KB

Download
memory/1888-1-0x00007FFE6FFE0000-0x00007FFE70AA1000-memory.dmp

Filesize
10.8MB

Download
memory/1888-11-0x000000001BD00000-0x000000001BD0C000-memory.dmp

Filesize
48KB

Download
memory/1888-8-0x000000001BD30000-0x000000001BD38000-memory.dmp

Filesize
32KB

Download
memory/1888-10-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

Filesize
48KB

Download
memory/1888-9-0x000000001BD40000-0x000000001BD4A000-memory.dmp

Filesize
40KB

Download
memory/2064-209-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/2064-198-0x00000000016E0000-0x00000000016F0000-memory.dmp

Filesize
64KB

Download
memory/2064-197-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/4636-182-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/4636-181-0x00000000002F0000-0x000000000042A000-memory.dmp

Filesize
1.2MB

Download
memory/4636-183-0x000000001B120000-0x000000001B130000-memory.dmp

Filesize
64KB

Download
memory/4636-194-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/4704-238-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/4704-249-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/5216-212-0x000000001BD00000-0x000000001BD10000-memory.dmp

Filesize
64KB

Download
memory/5216-223-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/5216-211-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/5452-279-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/5452-280-0x000000001AFC0000-0x000000001AFD0000-memory.dmp

Filesize
64KB

Download
memory/5452-291-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/5552-293-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/5640-263-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/5640-252-0x000000001B600000-0x000000001B610000-memory.dmp

Filesize
64KB

Download
memory/5640-251-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/5668-236-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download
memory/5668-225-0x00007FFE705B0000-0x00007FFE71071000-memory.dmp

Filesize
10.8MB

Download