dcrat | 48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
Size

4.9MB
MD5

9f54373c7eefc48c1d4e8a8b50c3d485
SHA1

c3f2f30da9c44a21b69ef16b647a899aa212d23a
SHA256

48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621
SHA512

e4b8c96114aba0c7dd977e0a4fb6ade31f0503eea87e27de842fc4fa1f531fd49dc8d1ec762ffbc26f3474ccf8bbb7108a56aab9fb8bce6339dcd68bfecfe77b
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	1564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	1564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1564	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2492-3-0x000000001B6E0000-0x000000001B80E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3024	powershell.exe
2264	powershell.exe
2152	powershell.exe
2984	powershell.exe
2988	powershell.exe
2936	powershell.exe
2948	powershell.exe
3016	powershell.exe
2900	powershell.exe
2940	powershell.exe
1292	powershell.exe
2688	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2896	taskhost.exe
2956	taskhost.exe
2604	taskhost.exe
1524	taskhost.exe
2844	taskhost.exe
2884	taskhost.exe
1248	taskhost.exe
352	taskhost.exe
2196	taskhost.exe
2748	taskhost.exe
2608	taskhost.exe
792	taskhost.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Download\taskhost.exe	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\Idle.exe	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\Idle.exe	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\6ccacd8608530f	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
File created	C:\Program Files (x86)\Google\Update\Download\taskhost.exe	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
File created	C:\Program Files (x86)\Google\Update\Download\b75386f1303e64	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCXC534.tmp	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\RCXC737.tmp	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2756	schtasks.exe
2864	schtasks.exe
2924	schtasks.exe
2252	schtasks.exe
2740	schtasks.exe
2628	schtasks.exe
2744	schtasks.exe
3008	schtasks.exe
2524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
2936	powershell.exe
2264	powershell.exe
2984	powershell.exe
3016	powershell.exe
2900	powershell.exe
2688	powershell.exe
2940	powershell.exe
2988	powershell.exe
3024	powershell.exe
2948	powershell.exe
2152	powershell.exe
1292	powershell.exe
2896	taskhost.exe
2956	taskhost.exe
2604	taskhost.exe
1524	taskhost.exe
2844	taskhost.exe
2884	taskhost.exe
1248	taskhost.exe
352	taskhost.exe
2196	taskhost.exe
2748	taskhost.exe
2608	taskhost.exe
792	taskhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2896	taskhost.exe
Token: SeDebugPrivilege	2956	taskhost.exe
Token: SeDebugPrivilege	2604	taskhost.exe
Token: SeDebugPrivilege	1524	taskhost.exe
Token: SeDebugPrivilege	2844	taskhost.exe
Token: SeDebugPrivilege	2884	taskhost.exe
Token: SeDebugPrivilege	1248	taskhost.exe
Token: SeDebugPrivilege	352	taskhost.exe
Token: SeDebugPrivilege	2196	taskhost.exe
Token: SeDebugPrivilege	2748	taskhost.exe
Token: SeDebugPrivilege	2608	taskhost.exe
Token: SeDebugPrivilege	792	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2152	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	41
PID 2492 wrote to memory of 2152	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	41
PID 2492 wrote to memory of 2152	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	41
PID 2492 wrote to memory of 2984	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	42
PID 2492 wrote to memory of 2984	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	42
PID 2492 wrote to memory of 2984	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	42
PID 2492 wrote to memory of 2940	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	44
PID 2492 wrote to memory of 2940	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	44
PID 2492 wrote to memory of 2940	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	44
PID 2492 wrote to memory of 2988	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	45
PID 2492 wrote to memory of 2988	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	45
PID 2492 wrote to memory of 2988	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	45
PID 2492 wrote to memory of 2936	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	46
PID 2492 wrote to memory of 2936	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	46
PID 2492 wrote to memory of 2936	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	46
PID 2492 wrote to memory of 2948	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	47
PID 2492 wrote to memory of 2948	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	47
PID 2492 wrote to memory of 2948	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	47
PID 2492 wrote to memory of 3016	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	48
PID 2492 wrote to memory of 3016	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	48
PID 2492 wrote to memory of 3016	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	48
PID 2492 wrote to memory of 3024	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	49
PID 2492 wrote to memory of 3024	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	49
PID 2492 wrote to memory of 3024	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	49
PID 2492 wrote to memory of 2264	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	50
PID 2492 wrote to memory of 2264	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	50
PID 2492 wrote to memory of 2264	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	50
PID 2492 wrote to memory of 1292	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	51
PID 2492 wrote to memory of 1292	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	51
PID 2492 wrote to memory of 1292	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	51
PID 2492 wrote to memory of 2688	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	52
PID 2492 wrote to memory of 2688	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	52
PID 2492 wrote to memory of 2688	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	52
PID 2492 wrote to memory of 2900	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	53
PID 2492 wrote to memory of 2900	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	53
PID 2492 wrote to memory of 2900	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	53
PID 2492 wrote to memory of 3068	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	65
PID 2492 wrote to memory of 3068	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	65
PID 2492 wrote to memory of 3068	2492	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe	65
PID 3068 wrote to memory of 1236	3068	cmd.exe	67
PID 3068 wrote to memory of 1236	3068	cmd.exe	67
PID 3068 wrote to memory of 1236	3068	cmd.exe	67
PID 3068 wrote to memory of 2896	3068	cmd.exe	68
PID 3068 wrote to memory of 2896	3068	cmd.exe	68
PID 3068 wrote to memory of 2896	3068	cmd.exe	68
PID 2896 wrote to memory of 2672	2896	taskhost.exe	69
PID 2896 wrote to memory of 2672	2896	taskhost.exe	69
PID 2896 wrote to memory of 2672	2896	taskhost.exe	69
PID 2896 wrote to memory of 2356	2896	taskhost.exe	70
PID 2896 wrote to memory of 2356	2896	taskhost.exe	70
PID 2896 wrote to memory of 2356	2896	taskhost.exe	70
PID 2672 wrote to memory of 2956	2672	WScript.exe	71
PID 2672 wrote to memory of 2956	2672	WScript.exe	71
PID 2672 wrote to memory of 2956	2672	WScript.exe	71
PID 2956 wrote to memory of 2712	2956	taskhost.exe	72
PID 2956 wrote to memory of 2712	2956	taskhost.exe	72
PID 2956 wrote to memory of 2712	2956	taskhost.exe	72
PID 2956 wrote to memory of 1988	2956	taskhost.exe	73
PID 2956 wrote to memory of 1988	2956	taskhost.exe	73
PID 2956 wrote to memory of 1988	2956	taskhost.exe	73
PID 2712 wrote to memory of 2604	2712	WScript.exe	74
PID 2712 wrote to memory of 2604	2712	WScript.exe	74
PID 2712 wrote to memory of 2604	2712	WScript.exe	74
PID 2604 wrote to memory of 620	2604	taskhost.exe	75

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe
"C:\Users\Admin\AppData\Local\Temp\48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\czI43DjlKC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1236
- - C:\Program Files (x86)\Google\Update\Download\taskhost.exe
    "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2896
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87f2df69-796f-4f12-b6f8-998e140f51e9.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2956
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21dc0ea5-9032-4d43-85bd-92d5396022a1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8239bf0-10e4-431c-9466-204e1b220659.vbs"
        8⤵
        
        PID:620
        
        C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7541739-2933-432c-b429-26e329cf2e11.vbs"
        10⤵
        
        PID:2020
        
        C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21a55b01-0f2e-4059-a872-fb233dfde71f.vbs"
        12⤵
        
        PID:3032
        
        C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fa52d52-7a6c-4704-8dc5-3dc63b1cbf77.vbs"
        14⤵
        
        PID:2208
        
        C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aa60dd8-e153-4c9f-9974-35be2a20c75b.vbs"
        16⤵
        
        PID:2544
        
        C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cca3ac87-84ef-49b5-9742-3d30fe20984b.vbs"
        18⤵
        
        PID:2900
        
        C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7a1c3f0-8acd-4448-b088-74402893e096.vbs"
        20⤵
        
        PID:2340
        
        C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d094bdd-8702-4e8d-aa94-3c0984479e29.vbs"
        22⤵
        
        PID:2884
        
        C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d394ef3d-3011-4d2e-8e10-0200f494239d.vbs"
        24⤵
        
        PID:2072
        
        C:\Program Files (x86)\Google\Update\Download\taskhost.exe
        
        "C:\Program Files (x86)\Google\Update\Download\taskhost.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18222133-070e-4f1c-ba44-7d078ecd642e.vbs"
        26⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32906978-b34e-4f5a-bdd4-9425935f894b.vbs"
        26⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0484e97-6290-4c1e-b2ea-38170524de77.vbs"
        24⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fda8c311-641d-49e2-adfe-c89c1825c4e2.vbs"
        22⤵
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4c5c98c-0a52-4534-ae3b-1d30bb68ff4c.vbs"
        20⤵
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46ca69d8-57e7-4a8e-a5c0-6b8c1e4d6833.vbs"
        18⤵
        
        PID:1996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0131865a-e002-48ef-9cc1-aea50cd91a8a.vbs"
        16⤵
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9ec9d9c-99f8-4e88-939e-f4223ae3c487.vbs"
        14⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57e09a9e-ed5a-4e55-9b43-d711e99f85ad.vbs"
        12⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d0c1c60-4108-4dcd-af26-8849e0f299da.vbs"
        10⤵
        
        PID:2132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90be173e-4d8c-4bf8-9a11-5fa782104588.vbs"
        8⤵
        
        PID:3052
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca8cda1-a1d3-4058-b8e0-d620274c4676.vbs"
        6⤵
        
        PID:1988
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b74ac8c-3224-404c-8a70-09733483e3f5.vbs"
      4⤵
      PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Download\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Download\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\it-IT\Idle.exe

Filesize
4.9MB

MD5
9f54373c7eefc48c1d4e8a8b50c3d485

SHA1
c3f2f30da9c44a21b69ef16b647a899aa212d23a

SHA256
48a3b02137ae3342c85fedda2c805c6b13122260655b3d96d5e6f35dd6cf2621

SHA512
e4b8c96114aba0c7dd977e0a4fb6ade31f0503eea87e27de842fc4fa1f531fd49dc8d1ec762ffbc26f3474ccf8bbb7108a56aab9fb8bce6339dcd68bfecfe77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\18222133-070e-4f1c-ba44-7d078ecd642e.vbs

Filesize
733B

MD5
a9c9a5c05811800555dc5e5c93940cde

SHA1
82e13210eb9cd560ee408ca2c5dacc8d3ef6319e

SHA256
d396d7ce343a0a4fe46c69e15926d54829df68edae9289e811229f7aad1c9cf4

SHA512
c5d1917baab8fda934b5c6286d32d95b28df67eed663d726d36c6065cb4ea2e9ee83a329f041593007588e9c29d6f20209533f5fc65aeac8c5281c47e7f548d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\21a55b01-0f2e-4059-a872-fb233dfde71f.vbs

Filesize
734B

MD5
e886e86f13a27396ca2c355e775af079

SHA1
2ccc8c10a0357487a73cd5bae844b296dc9e4e5f

SHA256
51e3365ad2a7a2d44e3a27140e72f25f88213f8dd3b4cac29d13a9afb263e175

SHA512
65d488610978a167e8161f318e4329861764675e02417f6543c01a8d309cd89615a1ef5880ec3bcd936963d86cd072a5ad2d3b5bae30e99aa13d20595e617ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\21dc0ea5-9032-4d43-85bd-92d5396022a1.vbs

Filesize
734B

MD5
21b84c1523402b4f636d53c1b4201a41

SHA1
5cc80618afd56c28030e5e5ae8c6476cf3ea2a44

SHA256
d25d2ad6a3b1b3e06fa7f7a9f8d7507704086243a9397595d23c22db165b2de0

SHA512
4c6ab677c32021daf6954973ab0fba2103d0d0d6b2d1b4eb2f88965dc46efede6987821ca3cb818520c8e43e281d9c57956e6a1b6808481cb10f6057031dcba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aa60dd8-e153-4c9f-9974-35be2a20c75b.vbs

Filesize
734B

MD5
cc77b8d91074529290dce2266787b953

SHA1
7ceff99492f82c87130e43f044804983d98ddf03

SHA256
11955d8679af2466a96e0561714b25be93115a9a1c7be9ba7847e522bf099410

SHA512
227aa9c20e2d3c7ae6047cac6d71630b33febd48122d2a6a1a3032088798061804575856c3785f522b50db5d7a2976635cef3ead6f86255a753aa7b8f3547d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\87f2df69-796f-4f12-b6f8-998e140f51e9.vbs

Filesize
734B

MD5
790abc47c3830d9e5e25d45b23cfeb8c

SHA1
ce1bd7b066a4933815f4dcc75b5de79e918a8cf3

SHA256
be786be87daa5b977870ed2e32e07d5b657222cdfd42285cab75eb6801ac6601

SHA512
a603d1ccc28e7ad3add87a12c92121278e8f36a8dc2fef04cf6e5e154a4edc5d63450f48fc1d79d5ffd9297e6cb44083cd6b857705124b94b5f9d643abc49c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b74ac8c-3224-404c-8a70-09733483e3f5.vbs

Filesize
510B

MD5
0439e67d087c3f11060e63aeadab1897

SHA1
a90eb144d1ef3274470a0a3874273e7c43502f9d

SHA256
be8639697d6c3efffddf7d441b740be05100db0a5619ea862b73333f8c8700c2

SHA512
5b3e0df8dfd6f1baaf13760d36996b61108dfe8ed587e97b619f0de04be0be6ef13688a4baefa21e652cc6bf8259f7ad97f2a3c8793a3a111b531929fe72dc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fa52d52-7a6c-4704-8dc5-3dc63b1cbf77.vbs

Filesize
734B

MD5
b12fd031c242c55a9e0ef68d4ecece62

SHA1
35fe106cc2922ee446447303cd9406dd886ddaf6

SHA256
e79255dd07659cdf3ea03de7d049403780b4c8107bd5474636c55ac24afa8d6d

SHA512
238e8512fcf69bbcd50f7398e66dcfd26fbc6d6c245a1ec0d799bd0e125bff080b5fc428713021fdff892c65d0218a5801d8c7ef4eb3284c0fa66cab9874917d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d094bdd-8702-4e8d-aa94-3c0984479e29.vbs

Filesize
734B

MD5
2a9f32cdd2ffcb9ad909aad2c1ed8dbb

SHA1
60aea59dd5ed79b9f176b0cb73d17f2c2639e061

SHA256
dad9221a9bb61ac215d316305d14e8dfae81c12d01520a2c31d530ca9468cade

SHA512
2e0e5cd5000ebeecdf3420db85f905f9bb720f62e81ed18c17216f24be44d5f510cae507b4d37fa942a2940e0aae5be777a228f71d73f20cf1f70b43e10b573b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8239bf0-10e4-431c-9466-204e1b220659.vbs

Filesize
734B

MD5
a4d59d755d8b28d37ed8257a83601261

SHA1
5155ea2e08057711361292db85fb303ace01fc42

SHA256
ae4c2a34c3df4e35a970bdf86cda484e994a608506cf4804765ccfaf90ef7ae2

SHA512
b52a1003faf5ed6044a2d4e68fd0e1fbdc0bcdbbca63c68ab7478260ebb3f2b955e70f6d4dec0f15a25cab76de261a02d9a9e466876d7de978538a45d010189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cca3ac87-84ef-49b5-9742-3d30fe20984b.vbs

Filesize
733B

MD5
1b0f54747eb8189fb8c32ff1fb5ef9e5

SHA1
b3871912709b8426a8c530e187c0f35189494610

SHA256
6214f137ad34af6e60525f7497989b0a1aae573d58a979eaa5135c5da6b57840

SHA512
d2292baaefefe76e954ae2aad55d56c4dceb36d7381a4d7bca29185e38682de5ae74d8a58a4b2f255ed9fdaeb1ea9116474cee1bf95c5540c3b69ee47ad9ace3

Download Submit
C:\Users\Admin\AppData\Local\Temp\czI43DjlKC.bat

Filesize
223B

MD5
2f8d29306767f4fc57bf852df7e630a2

SHA1
98b2214bdbebc4f0892e4f83efd379441a9dfa9f

SHA256
cfdae8c8515c0165109a9c700e94827eb4e082858f61307942a499089ef45266

SHA512
2f976727f1c88e121371600f9953e7d009b0fd20a811c6354adeea77cc8fcb9c20b0cd42758d0615183df25e9bd6363b512c9998a7be42b4b2b05d451f7e378b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d394ef3d-3011-4d2e-8e10-0200f494239d.vbs

Filesize
734B

MD5
4d542d0778a6092ac123cc9be14d64f8

SHA1
1f9228e38449b2f0c9ea70660f10e9bab53270dd

SHA256
aad06694a9b43dcc41ae10857e68bbd4aa334878bb5c93acb37203f03aadb947

SHA512
defcb354ae36866bccef050d8676a3dce270bea139e1a2330be72dc6257789e7133f1b695931b00db04953d0c3563ac4e8ebc1b8bd8c4f0a6214ff6299bd2565

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7541739-2933-432c-b429-26e329cf2e11.vbs

Filesize
734B

MD5
bc3548c9568856f5670979364f4cb1d4

SHA1
bf2976be5bb32b2700bb06ed9768ba7dec9740ac

SHA256
0352aa90f3edf192fe0dddb6c8cb515771476ef85a4db4afd08ff0527caa3970

SHA512
d97e5b0f362928c6271857d0d87802e00a5db73c3f1f38a1f71f3477384bb36a1b0e05ce1a468de2a1b7776a81f4a717b93ec716a770829e01a19bde3e4fb436

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7a1c3f0-8acd-4448-b088-74402893e096.vbs

Filesize
734B

MD5
17a1321a99e509116c9977535bfdb10c

SHA1
8f823104bd22cdd6637e61b5bd6a2edc50b7f6ce

SHA256
c7a556da8fead6209d49fcfd03cf4526570f099e3b21c63907c6a09cf01cafcb

SHA512
118658db2371974a33004c5e8827b19546ebae3691ef280a0069c3927420daaae30dc314d43dc83d882f664df8f732efa8a6cc90f2379909c37c90f597f113c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF086.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
743df0b7574eee96fbfe295d21f010c6

SHA1
1455466beac903d8339c8f8e47232ea73adb27ee

SHA256
164ef9b0de50445ee7492ab6b67578a658f21ced5ff1c95d57e24f684388ad97

SHA512
e01dcf0edf31028ec7d224af46973ab753bcae7d29e8cc041ae767b67ea3a122984ecd25a9e19a09c8e2ea7475dcb6f4335dfa6d97bb28f7d5e70d9d391794ae

Download Submit
memory/352-216-0x0000000000EF0000-0x00000000013E4000-memory.dmp

Filesize
5.0MB

Download
memory/1248-200-0x0000000000100000-0x00000000005F4000-memory.dmp

Filesize
5.0MB

Download
memory/1248-201-0x0000000000D70000-0x0000000000D82000-memory.dmp

Filesize
72KB

Download
memory/1524-155-0x00000000013E0000-0x00000000018D4000-memory.dmp

Filesize
5.0MB

Download
memory/2196-231-0x00000000002E0000-0x00000000007D4000-memory.dmp

Filesize
5.0MB

Download
memory/2264-71-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2492-11-0x00000000026C0000-0x00000000026CA000-memory.dmp

Filesize
40KB

Download
memory/2492-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x0000000000C30000-0x0000000001124000-memory.dmp

Filesize
5.0MB

Download
memory/2492-53-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-16-0x0000000002790000-0x000000000279C000-memory.dmp

Filesize
48KB

Download
memory/2492-15-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/2492-14-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2492-13-0x00000000026E0000-0x00000000026EE000-memory.dmp

Filesize
56KB

Download
memory/2492-2-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2492-12-0x00000000026D0000-0x00000000026DE000-memory.dmp

Filesize
56KB

Download
memory/2492-3-0x000000001B6E0000-0x000000001B80E000-memory.dmp

Filesize
1.2MB

Download
memory/2492-4-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2492-10-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/2492-9-0x0000000002530000-0x000000000253A000-memory.dmp

Filesize
40KB

Download
memory/2492-8-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/2492-7-0x0000000000C00000-0x0000000000C16000-memory.dmp

Filesize
88KB

Download
memory/2492-6-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2492-5-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2748-246-0x0000000001240000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2748-247-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2844-170-0x0000000000170000-0x0000000000664000-memory.dmp

Filesize
5.0MB

Download
memory/2884-185-0x00000000002D0000-0x00000000007C4000-memory.dmp

Filesize
5.0MB

Download
memory/2896-113-0x0000000001120000-0x0000000001614000-memory.dmp

Filesize
5.0MB

Download
memory/2936-73-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download