dcrat | 37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dc

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Size

4.9MB
MD5

549a897f0c0298c512c30faf8a911840
SHA1

77864449acf9065d7522006aec1bc67b543cb514
SHA256

37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dc
SHA512

481f73e8a9160def609cd28ec9d97398d66163c240a4d63f77686bfa2c99dddb5f7a9df0731c46309e8a1d19bed59d62e358e0ace10ec793731d3690df8bdd4e
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1956	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1956	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2056-3-0x000000001B0F0000-0x000000001B21E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2192	powershell.exe
1036	powershell.exe
2412	powershell.exe
2552	powershell.exe
2456	powershell.exe
1864	powershell.exe
2340	powershell.exe
1608	powershell.exe
2384	powershell.exe
2644	powershell.exe
2128	powershell.exe
2428	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2332	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2296	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2872	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2788	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2464	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2976	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1320	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1580	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\f3b6ecef712a24	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Windows Media Player\Idle.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Windows Defender\sppsvc.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\spoolsv.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Windows Defender\0a1fd5f707cd16	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\spoolsv.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RCXBD5F.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXBF63.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files\Windows Media Player\6ccacd8608530f	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Windows Defender\sppsvc.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\RCXB4D3.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Windows Media Player\Idle.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\f3b6ecef712a24	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Program Files\Windows Defender\RCXB05D.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Windows\886983d96e3d3e	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\Web\Wallpaper\Windows\RCXAE5A.tmp	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File created	C:\Windows\Web\Wallpaper\Windows\csrss.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
File opened for modification	C:\Windows\Web\Wallpaper\Windows\csrss.exe	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
1640	schtasks.exe
2000	schtasks.exe
1484	schtasks.exe
1300	schtasks.exe
1848	schtasks.exe
1040	schtasks.exe
2880	schtasks.exe
264	schtasks.exe
1168	schtasks.exe
600	schtasks.exe
620	schtasks.exe
2620	schtasks.exe
1828	schtasks.exe
1800	schtasks.exe
2936	schtasks.exe
2952	schtasks.exe
2768	schtasks.exe
1688	schtasks.exe
1968	schtasks.exe
844	schtasks.exe
108	schtasks.exe
2812	schtasks.exe
2760	schtasks.exe
1076	schtasks.exe
2872	schtasks.exe
2932	schtasks.exe
2112	schtasks.exe
2736	schtasks.exe
2764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2192	powershell.exe
1608	powershell.exe
2128	powershell.exe
2412	powershell.exe
2644	powershell.exe
2428	powershell.exe
1036	powershell.exe
2552	powershell.exe
2384	powershell.exe
2340	powershell.exe
2456	powershell.exe
1864	powershell.exe
2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2332	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2872	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2788	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2464	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
2976	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1320	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
1580	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	2332	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	2872	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	2788	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	2464	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	2976	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	1320	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Token: SeDebugPrivilege	1580	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2340	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	61
PID 2056 wrote to memory of 2340	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	61
PID 2056 wrote to memory of 2340	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	61
PID 2056 wrote to memory of 1608	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	62
PID 2056 wrote to memory of 1608	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	62
PID 2056 wrote to memory of 1608	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	62
PID 2056 wrote to memory of 2384	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	63
PID 2056 wrote to memory of 2384	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	63
PID 2056 wrote to memory of 2384	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	63
PID 2056 wrote to memory of 2192	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	64
PID 2056 wrote to memory of 2192	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	64
PID 2056 wrote to memory of 2192	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	64
PID 2056 wrote to memory of 1036	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	65
PID 2056 wrote to memory of 1036	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	65
PID 2056 wrote to memory of 1036	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	65
PID 2056 wrote to memory of 2428	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	66
PID 2056 wrote to memory of 2428	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	66
PID 2056 wrote to memory of 2428	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	66
PID 2056 wrote to memory of 2128	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	67
PID 2056 wrote to memory of 2128	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	67
PID 2056 wrote to memory of 2128	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	67
PID 2056 wrote to memory of 2552	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	68
PID 2056 wrote to memory of 2552	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	68
PID 2056 wrote to memory of 2552	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	68
PID 2056 wrote to memory of 2412	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	70
PID 2056 wrote to memory of 2412	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	70
PID 2056 wrote to memory of 2412	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	70
PID 2056 wrote to memory of 2644	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	72
PID 2056 wrote to memory of 2644	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	72
PID 2056 wrote to memory of 2644	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	72
PID 2056 wrote to memory of 2456	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	73
PID 2056 wrote to memory of 2456	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	73
PID 2056 wrote to memory of 2456	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	73
PID 2056 wrote to memory of 1864	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	74
PID 2056 wrote to memory of 1864	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	74
PID 2056 wrote to memory of 1864	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	74
PID 2056 wrote to memory of 1592	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	85
PID 2056 wrote to memory of 1592	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	85
PID 2056 wrote to memory of 1592	2056	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	85
PID 1592 wrote to memory of 2880	1592	cmd.exe	87
PID 1592 wrote to memory of 2880	1592	cmd.exe	87
PID 1592 wrote to memory of 2880	1592	cmd.exe	87
PID 1592 wrote to memory of 2996	1592	cmd.exe	89
PID 1592 wrote to memory of 2996	1592	cmd.exe	89
PID 1592 wrote to memory of 2996	1592	cmd.exe	89
PID 2996 wrote to memory of 2484	2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	90
PID 2996 wrote to memory of 2484	2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	90
PID 2996 wrote to memory of 2484	2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	90
PID 2996 wrote to memory of 1052	2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	91
PID 2996 wrote to memory of 1052	2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	91
PID 2996 wrote to memory of 1052	2996	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	91
PID 2484 wrote to memory of 2332	2484	WScript.exe	92
PID 2484 wrote to memory of 2332	2484	WScript.exe	92
PID 2484 wrote to memory of 2332	2484	WScript.exe	92
PID 2332 wrote to memory of 680	2332	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	93
PID 2332 wrote to memory of 680	2332	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	93
PID 2332 wrote to memory of 680	2332	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	93
PID 2332 wrote to memory of 1784	2332	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	94
PID 2332 wrote to memory of 1784	2332	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	94
PID 2332 wrote to memory of 1784	2332	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe	94
PID 680 wrote to memory of 2296	680	WScript.exe	95
PID 680 wrote to memory of 2296	680	WScript.exe	95
PID 680 wrote to memory of 2296	680	WScript.exe	95
PID 2972 wrote to memory of 2872	2972	WScript.exe	98

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
"C:\Users\Admin\AppData\Local\Temp\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mSRhE1uhqP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2880
- - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
    "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2996
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3abe6ad1-c1f4-4417-ac43-61a024672268.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2332
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9af45eb8-fe83-4989-8361-1325fcd55f3d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a30979c6-2397-40a2-8215-6a58ddf1f2ad.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1121f84c-bb9f-4094-a517-484b1fe5cbda.vbs"
        10⤵
        
        PID:1728
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a51fa9af-bd3c-432c-b55f-c08bde020553.vbs"
        12⤵
        
        PID:2784
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cba28dc-b2c3-4b16-8170-9264c81bc745.vbs"
        14⤵
        
        PID:1352
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56026928-015f-4000-a526-45fc8e7de0c2.vbs"
        16⤵
        
        PID:2136
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c72e5d0d-1205-46c2-847d-56761487c3c9.vbs"
        18⤵
        
        PID:1968
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e8b530a-b553-44b3-bd9f-cdaa5959fabf.vbs"
        20⤵
        
        PID:2220
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f4b05a9-ff90-467c-8cd7-dbdc2bc6b3ab.vbs"
        22⤵
        
        PID:2940
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75d37d30-7214-453c-acbd-3e3969f876ed.vbs"
        24⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56b8aa54-b9c9-4afa-a4ba-65ac83c8a8d2.vbs"
        24⤵
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b219e1ac-f117-4e9e-9820-ef483a10f00a.vbs"
        22⤵
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71315275-2f4d-45a1-a904-aaa0ee61dd96.vbs"
        20⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\838a3aec-cd37-4d4f-b9b2-e41bedb5c6e6.vbs"
        18⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02c57754-b4c4-4aab-a56e-5101349fe7c4.vbs"
        16⤵
        
        PID:2016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf66bb62-1073-42da-a83b-7d227dac89cb.vbs"
        14⤵
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c9941cb-c50e-41ef-92ea-bf65af60c857.vbs"
        12⤵
        
        PID:924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9079ab3c-3f60-49ec-b8d5-83fa1c29e75f.vbs"
        10⤵
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c32ad4c3-d852-4343-9ff3-8c1be4b0fa00.vbs"
        8⤵
        
        PID:1976
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b826bfb4-ad1c-4ae9-aa1c-3d4e2badcd30.vbs"
        6⤵
        
        PID:1784
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8307ee15-a3ae-4b54-a5e1-ca140f6281ef.vbs"
      4⤵
      PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\Wallpaper\Windows\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Windows\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Windows\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN3" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN3" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dcN.exe

Filesize
4.9MB

MD5
faf0739365b89a8169b69911d7697519

SHA1
69ffd48435268292b7ad4996088de23257633c86

SHA256
65662b09e3c093c15df3592a679e450cc8a6e14b1f6c19f2ff14d63582324c3f

SHA512
ec6152cba899355ec2888b4f9f087577344daf78034ec3c99be41998cbc7c826cc4cc7a1176631f8cd1a87c0708ca035fb71ccdc82d0d2ee63cb4dc2bd97a237

Download Submit
C:\ProgramData\RCXB744.tmp

Filesize
4.9MB

MD5
af1d5fa518ba768f508a8a046eb8b10a

SHA1
a2556f07f34970a02383d453d30a6a381d5aab3c

SHA256
80c8fdf4c4e6d23b5a3984a3d3913a190e1659f7d61ab1916d2289abe93e6b0d

SHA512
7f75e115f1a2107a1227f75bdbdd913e252a3122252b1c11a711dc5e870edf49b396a2247313cd1b443528ea91c51a40d40aaec38b0a2d4f97cf9f2d1e970c17

Download Submit
C:\ProgramData\lsm.exe

Filesize
4.9MB

MD5
549a897f0c0298c512c30faf8a911840

SHA1
77864449acf9065d7522006aec1bc67b543cb514

SHA256
37762a06abb892e7cb02c8f430f2bbaed874495435959acc1839ff0a040147dc

SHA512
481f73e8a9160def609cd28ec9d97398d66163c240a4d63f77686bfa2c99dddb5f7a9df0731c46309e8a1d19bed59d62e358e0ace10ec793731d3690df8bdd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1121f84c-bb9f-4094-a517-484b1fe5cbda.vbs

Filesize
817B

MD5
3dd7612ec8b41aad079b7dc74b849475

SHA1
0c43c5b7fb48920e38dedbe62091d85e8eb979f8

SHA256
3c0464da78b01d40205542db78f23ac01afdb1fa0d23d9fdb09732fd8ff2874d

SHA512
8760182f0f4cc8a078c7b6964a2813b1955a653ebd75f528469dd997a21b35188ac78a4e82577e18a36ad8d2df6b122093d211a4f8c718a8568c4952f96ce194

Download Submit
C:\Users\Admin\AppData\Local\Temp\3abe6ad1-c1f4-4417-ac43-61a024672268.vbs

Filesize
817B

MD5
68343f8329fd405aa1048648d7cb2e12

SHA1
46e247323a98cdeb4ea52217025d6a4efd1cb274

SHA256
377e75de17f75898be9d96368ab5a8a3e5cce07ee9c92ea4d7733cbe0e30f81f

SHA512
0ffcf2c6ec19c5cf9d91a603882fd01829a951debcc5231d68dd28805425db3725551238028eb325cdc69cd0c329febe4b8c1bb3d63f77f94806af2717be4243

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f4b05a9-ff90-467c-8cd7-dbdc2bc6b3ab.vbs

Filesize
817B

MD5
6d31bdae4ef3b123351de50ff42710a2

SHA1
1b533d540072d2d0d1213c210a1e1a8f5a803f32

SHA256
5682ec2de5bc0a294a4da098c62d933bb48d55c2bb6353e5fb9f6bc9f0eaeb64

SHA512
1bc1952b3cdddc04d3666c5a96bc55202d1fda342dfafdb60ab69663cc0d2d01d19f72d1253b9173d8312ff557be678caadaa7a5c42bb7677c933893553a9b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\56026928-015f-4000-a526-45fc8e7de0c2.vbs

Filesize
817B

MD5
36d8b94523cc0dcb24f1022f90fd12ed

SHA1
fcca533ab4c00cf3ebcec93769b16e8802b36b07

SHA256
74b6a126a400b5e97c06896b0297876369baa489b69c46150343e770c980b0e8

SHA512
c1bd08b008a9fdcc092f79f8eb8ca4e7dd666f6abe8baae99e919cdba731f010f28c75950888eb9405c46394207807178a9d8806156f4b3dfb69ce1fde0c5944

Download Submit
C:\Users\Admin\AppData\Local\Temp\75d37d30-7214-453c-acbd-3e3969f876ed.vbs

Filesize
817B

MD5
884d643586284b4e408dd922fc6d17b2

SHA1
164a1230cd580edec8dfed32ed4498363c5bb2e8

SHA256
404858530bd318d2a749ac0cc3671c576c8d10cb515678faf74a2f04da1534b8

SHA512
076d7dfb1c4526506023865f1445c2fd1d0216163fe29577edc5eccae19fa0928ad05216af7e4801b66117fa0bd871baf385ffeb941ac6ef6508a081c4aa3534

Download Submit
C:\Users\Admin\AppData\Local\Temp\8307ee15-a3ae-4b54-a5e1-ca140f6281ef.vbs

Filesize
593B

MD5
0b04622190aab365422befb5fbbc03f2

SHA1
44e6ec6279e093aeb8d65bc117758cc5534d07ec

SHA256
74e0a5115cc93a794f2bc8e8ccfc5ac6ab17159a4e869648ec29b0d1a73511c6

SHA512
3e85ffdcc037502ae4425db3261f326443058fd4a91b3c43d1cffcbcad708ca7710cbc4c8799c910563543942d458b9a6b03aa7826ba28a2df7686856ab33395

Download Submit
C:\Users\Admin\AppData\Local\Temp\8e8b530a-b553-44b3-bd9f-cdaa5959fabf.vbs

Filesize
817B

MD5
c3951321f153f50d3152e3a58c8c78c6

SHA1
210f94a85f568a64be32872811fdbed2b8a31689

SHA256
777e6f4fb0e8ecbb9c6be192dcb506be10379a0b28a2cac728bba3f26d44e078

SHA512
116b1a25088cffdf45d18ddb4d1b9dc1acd9b289048900c13fa19227e0c6fdacc360a1c638261e7e9737c43c1cf6cfa6e420fecfb08327bf22ef4b414a9faa36

Download Submit
C:\Users\Admin\AppData\Local\Temp\9af45eb8-fe83-4989-8361-1325fcd55f3d.vbs

Filesize
817B

MD5
68fcfee8ac326ea87c008dc07bab86c2

SHA1
7fe67ed8c691ee04afa37d2652a98e66205f350f

SHA256
6ed260d7cf44a92fb212ca7db2dcb7b6e008b1f02250471aad1b058184546844

SHA512
8ce1b19e3ca31b12e0f40447f0a4b1b070fca4707784bccabc24a795ccd410c80175e5b308cbf271ce957540d56d55eeca2e2b0a21ac730a5812322cbd33c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a51fa9af-bd3c-432c-b55f-c08bde020553.vbs

Filesize
817B

MD5
79d6e33f49d29408a5c2d59c84833326

SHA1
c558847e842083d1fff7b840c34a0de8dbf93c8f

SHA256
04207dfaaa272e0f9196666aecfcbbb463b7c02853024a73be7a2393e523f834

SHA512
8483677503b70b84e4963bbd022a123ae91f788cd1079749bc8feb6c012e25d4673013c1e97a688e5a18d49044c96c4ec2e3d01969e94078e6c8d0298af8806f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c72e5d0d-1205-46c2-847d-56761487c3c9.vbs

Filesize
817B

MD5
267c9203e76fb0b93de555de78b5cf8d

SHA1
64f9840683f0adcec46703fc0e9e81776ae7ca8a

SHA256
1c5a697fa1392b725032f38113ebc2b0625a5d6ed2d92d52683aac71c8ad6d70

SHA512
8b3f93b68a99590e2c61270b66ffe03abdefe801d71c2f743aa4f511819503bf60ca128294c557d1e935db060e9af5b7e5fd4a93d1107294741f9fee4af15797

Download Submit
C:\Users\Admin\AppData\Local\Temp\mSRhE1uhqP.bat

Filesize
306B

MD5
19910183e0100845a5819cf9e98a8805

SHA1
4b62ba8e76e32bf1ba125a31a501320acfc6b090

SHA256
f1df70688cb1065d341d845fb42e0bc2dea938d0690e822362a4197ea014d469

SHA512
699234c194d9110829d6cf1f0a03fa780f5cc99328400a0a56bb21c1d94d61b469900449477e8f1ec1b673ff9f00aa7d0542a16db4a3078a2390d1b027b405d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE8E8.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
22ed64f79c9f2fac9f92d602a1fd9bf1

SHA1
d9e7b06031b860883561b27fddaae858b6c4feb0

SHA256
7344e3f43a5873797500f4087ab3374e441d95695917b838792100406748177d

SHA512
d363f750cbbf66b2e9eed49440c5d9a91ac214d61e4057095be9223b7ecec90f1e4e9cc91c37c17b5426864074d28897c88b78e546e622828fd7117d6b874998

Download Submit
memory/1320-300-0x00000000003C0000-0x00000000008B4000-memory.dmp

Filesize
5.0MB

Download
memory/1580-315-0x0000000000F00000-0x00000000013F4000-memory.dmp

Filesize
5.0MB

Download
memory/2056-11-0x00000000023D0000-0x00000000023DA000-memory.dmp

Filesize
40KB

Download
memory/2056-8-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/2056-4-0x0000000000990000-0x00000000009AC000-memory.dmp

Filesize
112KB

Download
memory/2056-6-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/2056-138-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-14-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2056-15-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2056-1-0x0000000000310000-0x0000000000804000-memory.dmp

Filesize
5.0MB

Download
memory/2056-13-0x00000000023F0000-0x00000000023FE000-memory.dmp

Filesize
56KB

Download
memory/2056-12-0x00000000023E0000-0x00000000023EE000-memory.dmp

Filesize
56KB

Download
memory/2056-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download
memory/2056-16-0x0000000002420000-0x000000000242C000-memory.dmp

Filesize
48KB

Download
memory/2056-7-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/2056-10-0x00000000023C0000-0x00000000023D2000-memory.dmp

Filesize
72KB

Download
memory/2056-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2056-9-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/2056-5-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/2056-3-0x000000001B0F0000-0x000000001B21E000-memory.dmp

Filesize
1.2MB

Download
memory/2192-124-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2192-130-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/2332-196-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/2332-195-0x0000000000EC0000-0x00000000013B4000-memory.dmp

Filesize
5.0MB

Download
memory/2464-270-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download
memory/2788-255-0x0000000000D50000-0x0000000000D62000-memory.dmp

Filesize
72KB

Download
memory/2872-212-0x00000000011C0000-0x00000000016B4000-memory.dmp

Filesize
5.0MB

Download
memory/2976-285-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2996-181-0x0000000000C10000-0x0000000001104000-memory.dmp

Filesize
5.0MB

Download