dcrat | 468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
Size

4.9MB
MD5

261b88ce85c81cd9d3296c430bc897d0
SHA1

0f05a6f1da522690e312c22d1ff63b46b77b5b1f
SHA256

468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99
SHA512

df8c85e30bb4135034eaea615578e50b47f4a94d6c4e667a143858f2cb5f6350d689aafeda89f21215970298c2dab650b94b47c38aaa07c2af2d1648bd419a7d
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2448	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2448	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dwm.exedwm.exe468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2480-3-0x000000001B430000-0x000000001B55E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1984	powershell.exe
2120	powershell.exe
2108	powershell.exe
548	powershell.exe
1960	powershell.exe
2800	powershell.exe
3056	powershell.exe
1816	powershell.exe
2228	powershell.exe
2952	powershell.exe
1836	powershell.exe
1448	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	Process
1520	dwm.exe
2648	dwm.exe
2856	dwm.exe
604	dwm.exe
996	dwm.exe
484	dwm.exe
2684	dwm.exe
2328	dwm.exe
868	dwm.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Drops file in System32 directory 1 IoCs

Processes:

468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe

description	ioc	Process
File created	C:\Windows\System32\csrss.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe

Drops file in Program Files directory 32 IoCs

Processes:

468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\smss.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files (x86)\Common Files\wininit.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX909.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\5940a34987c991	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\6cb0b6c459d5d3	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\c5b4cb5e9653cc	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files (x86)\Common Files\wininit.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files (x86)\Common Files\69ddcba757bf72	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXE409.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\RCXED32.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\RCXFC95.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files (x86)\Common Files\56085415360792	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\sppsvc.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXB99.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files (x86)\Common Files\smss.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files\Windows Portable Devices\sppsvc.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files (x86)\Adobe\OSPPSVC.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX6F6.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files (x86)\Adobe\1610b97d3ab4a7	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files\Windows Portable Devices\0a1fd5f707cd16	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXFEA8.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCX4E2.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files\VideoLAN\VLC\24dbde2999530e	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Program Files (x86)\Adobe\OSPPSVC.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe

Drops file in Windows directory 12 IoCs

Processes:

468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\en-US\WmiPrvSE.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Windows\PolicyDefinitions\en-US\24dbde2999530e	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Windows\Panther\setup.exe\RCXF580.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Windows\Panther\setup.exe\System.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\RCX2CF.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\WmiPrvSE.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Windows\Panther\setup.exe\27d1bcfc3c54e0	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Windows\es-ES\0a1fd5f707cd16	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Windows\Panther\setup.exe\System.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Windows\es-ES\RCXE89E.tmp	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File opened for modification	C:\Windows\es-ES\sppsvc.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
File created	C:\Windows\es-ES\sppsvc.exe	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2676	schtasks.exe
2028	schtasks.exe
2076	schtasks.exe
1872	schtasks.exe
2932	schtasks.exe
2664	schtasks.exe
1312	schtasks.exe
1936	schtasks.exe
1396	schtasks.exe
2560	schtasks.exe
652	schtasks.exe
2936	schtasks.exe
1684	schtasks.exe
2284	schtasks.exe
2180	schtasks.exe
2800	schtasks.exe
1488	schtasks.exe
2412	schtasks.exe
1152	schtasks.exe
2816	schtasks.exe
2896	schtasks.exe
1660	schtasks.exe
2376	schtasks.exe
2112	schtasks.exe
1680	schtasks.exe
2440	schtasks.exe
1124	schtasks.exe
296	schtasks.exe
2012	schtasks.exe
2964	schtasks.exe
2868	schtasks.exe
2052	schtasks.exe
620	schtasks.exe
2900	schtasks.exe
2952	schtasks.exe
2124	schtasks.exe
1716	schtasks.exe
2348	schtasks.exe
660	schtasks.exe
2624	schtasks.exe
2300	schtasks.exe
2984	schtasks.exe
2372	schtasks.exe
1708	schtasks.exe
2080	schtasks.exe
1852	schtasks.exe
1744	schtasks.exe
2668	schtasks.exe
1836	schtasks.exe
1676	schtasks.exe
2892	schtasks.exe
2648	schtasks.exe
3024	schtasks.exe
1624	schtasks.exe
1876	schtasks.exe
1352	schtasks.exe
1748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	Process
2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
1836	powershell.exe
1448	powershell.exe
1960	powershell.exe
2800	powershell.exe
3056	powershell.exe
2228	powershell.exe
1816	powershell.exe
2108	powershell.exe
2952	powershell.exe
548	powershell.exe
1984	powershell.exe
2120	powershell.exe
1520	dwm.exe
2648	dwm.exe
2856	dwm.exe
604	dwm.exe
996	dwm.exe
484	dwm.exe
2684	dwm.exe
2328	dwm.exe
868	dwm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1520	dwm.exe
Token: SeDebugPrivilege	2648	dwm.exe
Token: SeDebugPrivilege	2856	dwm.exe
Token: SeDebugPrivilege	604	dwm.exe
Token: SeDebugPrivilege	996	dwm.exe
Token: SeDebugPrivilege	484	dwm.exe
Token: SeDebugPrivilege	2684	dwm.exe
Token: SeDebugPrivilege	2328	dwm.exe
Token: SeDebugPrivilege	868	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.execmd.exedwm.exeWScript.exedwm.exeWScript.exedwm.exe

description	pid	Process	procid_target
PID 2480 wrote to memory of 2800	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	89
PID 2480 wrote to memory of 2800	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	89
PID 2480 wrote to memory of 2800	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	89
PID 2480 wrote to memory of 1448	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	90
PID 2480 wrote to memory of 1448	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	90
PID 2480 wrote to memory of 1448	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	90
PID 2480 wrote to memory of 1836	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	91
PID 2480 wrote to memory of 1836	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	91
PID 2480 wrote to memory of 1836	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	91
PID 2480 wrote to memory of 3056	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	93
PID 2480 wrote to memory of 3056	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	93
PID 2480 wrote to memory of 3056	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	93
PID 2480 wrote to memory of 1816	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	95
PID 2480 wrote to memory of 1816	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	95
PID 2480 wrote to memory of 1816	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	95
PID 2480 wrote to memory of 2952	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	97
PID 2480 wrote to memory of 2952	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	97
PID 2480 wrote to memory of 2952	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	97
PID 2480 wrote to memory of 2228	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	99
PID 2480 wrote to memory of 2228	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	99
PID 2480 wrote to memory of 2228	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	99
PID 2480 wrote to memory of 2108	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	100
PID 2480 wrote to memory of 2108	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	100
PID 2480 wrote to memory of 2108	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	100
PID 2480 wrote to memory of 1984	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	101
PID 2480 wrote to memory of 1984	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	101
PID 2480 wrote to memory of 1984	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	101
PID 2480 wrote to memory of 2120	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	102
PID 2480 wrote to memory of 2120	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	102
PID 2480 wrote to memory of 2120	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	102
PID 2480 wrote to memory of 1960	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	103
PID 2480 wrote to memory of 1960	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	103
PID 2480 wrote to memory of 1960	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	103
PID 2480 wrote to memory of 548	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	104
PID 2480 wrote to memory of 548	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	104
PID 2480 wrote to memory of 548	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	104
PID 2480 wrote to memory of 1092	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	113
PID 2480 wrote to memory of 1092	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	113
PID 2480 wrote to memory of 1092	2480	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe	113
PID 1092 wrote to memory of 2256	1092	cmd.exe	115
PID 1092 wrote to memory of 2256	1092	cmd.exe	115
PID 1092 wrote to memory of 2256	1092	cmd.exe	115
PID 1092 wrote to memory of 1520	1092	cmd.exe	116
PID 1092 wrote to memory of 1520	1092	cmd.exe	116
PID 1092 wrote to memory of 1520	1092	cmd.exe	116
PID 1520 wrote to memory of 652	1520	dwm.exe	117
PID 1520 wrote to memory of 652	1520	dwm.exe	117
PID 1520 wrote to memory of 652	1520	dwm.exe	117
PID 1520 wrote to memory of 856	1520	dwm.exe	118
PID 1520 wrote to memory of 856	1520	dwm.exe	118
PID 1520 wrote to memory of 856	1520	dwm.exe	118
PID 652 wrote to memory of 2648	652	WScript.exe	119
PID 652 wrote to memory of 2648	652	WScript.exe	119
PID 652 wrote to memory of 2648	652	WScript.exe	119
PID 2648 wrote to memory of 1548	2648	dwm.exe	120
PID 2648 wrote to memory of 1548	2648	dwm.exe	120
PID 2648 wrote to memory of 1548	2648	dwm.exe	120
PID 2648 wrote to memory of 2488	2648	dwm.exe	121
PID 2648 wrote to memory of 2488	2648	dwm.exe	121
PID 2648 wrote to memory of 2488	2648	dwm.exe	121
PID 1548 wrote to memory of 2856	1548	WScript.exe	122
PID 1548 wrote to memory of 2856	1548	WScript.exe	122
PID 1548 wrote to memory of 2856	1548	WScript.exe	122
PID 2856 wrote to memory of 896	2856	dwm.exe	123

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe
"C:\Users\Admin\AppData\Local\Temp\468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lJwS3LgKwS.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2256
- - C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe
    "C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1520
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2afbc34-c039-4afd-a5c8-d0a54c3e87f0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2648
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb85d61-3666-4ada-a9f3-7c78b9403f6e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\279a65d0-989d-4f86-8eda-824e12e47ed5.vbs"
        8⤵
        
        PID:896
        
        C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef30aac4-ace6-4f98-bbc5-37454057c8ca.vbs"
        10⤵
        
        PID:1224
        
        C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04c6b17d-6bfd-4613-8880-e0de8e5c8c70.vbs"
        12⤵
        
        PID:316
        
        C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a2ea542-4777-4ced-8dbd-dc45844cd1e2.vbs"
        14⤵
        
        PID:2356
        
        C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e4f0eaf-01b0-452a-a8be-af0826e8135f.vbs"
        16⤵
        
        PID:1576
        
        C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea37ac14-f393-4bcf-9d99-9c43826e4b2c.vbs"
        18⤵
        
        PID:2800
        
        C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\045910c0-3773-4809-8283-db6e110a4308.vbs"
        20⤵
        
        PID:564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de48860a-efcc-4774-bcb9-7ec64eaebfd5.vbs"
        20⤵
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8ef232f-172e-4a17-b7a6-b743dcdead7f.vbs"
        18⤵
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8afde59c-8a07-4280-9d05-06538fc2bfd8.vbs"
        16⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\394beb9c-b684-439c-b77b-18fac2b50f18.vbs"
        14⤵
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5dc8c69-710e-430a-bb92-b125790e0723.vbs"
        12⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6256db7f-ce29-4dd3-b8f4-b5c191dba955.vbs"
        10⤵
        
        PID:696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10ce0011-0901-4a70-aa6a-1553b0b9cac1.vbs"
        8⤵
        
        PID:2644
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\baeb2756-52e4-49b0-a5f3-c1c7b4240a9a.vbs"
        6⤵
        
        PID:2488
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a1cac77-f5f9-4ea5-b6c3-7d132cf2f06d.vbs"
      4⤵
      PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\setup.exe\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\setup.exe\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\playlist\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe

Filesize
4.9MB

MD5
261b88ce85c81cd9d3296c430bc897d0

SHA1
0f05a6f1da522690e312c22d1ff63b46b77b5b1f

SHA256
468bf7713166e6febbdef2ddc6f9004ebd1f385474a87c0b5674f936dfe09e99

SHA512
df8c85e30bb4135034eaea615578e50b47f4a94d6c4e667a143858f2cb5f6350d689aafeda89f21215970298c2dab650b94b47c38aaa07c2af2d1648bd419a7d

Download Submit
C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe

Filesize
4.9MB

MD5
ffdebe86287867fd80fcbd92c7f0eaf7

SHA1
ceebe50b02589a74628fd1d5f53a899ab4a711b9

SHA256
33f20c18761a0234fed717a0b5a6dae2d2bbec83ed696c5a1b86e896702ad029

SHA512
a57eb763c3a113e1785510a97cad004288b195f88ad2bb2d2a84fea06c4a6992d156d4d07df598337c010c3bbe76a069470e6159522c644cc3369a680d61970b

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\smss.exe

Filesize
4.9MB

MD5
82c227938f68f65e98b5e3e849e77467

SHA1
85b9f8f02cfbd458ab96bf2b6e79891724f0ec01

SHA256
35866593c65634d7dbd400cf737afc9c11f9276f004aa92fff8bc89e52b15834

SHA512
c5b979d556d29fddce8545f158dcd2cc0160c84815847c3163ec7394d1210fa78f56eed26d11dd2e2387ec546188d3986b6df87cc84314b21f913a388329b07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\045910c0-3773-4809-8283-db6e110a4308.vbs

Filesize
725B

MD5
fab1235da4e9579b6b5a79f6ddbf0615

SHA1
8a349d2e3f077bd8dd6806023ba257207ebdf5ec

SHA256
0b91cb3f1ce58e9f64a59828a4c6b85fd5def406a5fd543072af1162abeb4dd4

SHA512
30cad3133a89aecb6dc159004cd7fa84a453bfc7ceab765ed1dd4f9450da4b6dac9b2117099222dc504d81e62edb2ac73fec0f2f13c3a1d72d63794761bd0c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\04c6b17d-6bfd-4613-8880-e0de8e5c8c70.vbs

Filesize
725B

MD5
f3505ff4c22fb37cf338cf565b207518

SHA1
e43c448e29e3eaa71a184043a2eeb1670c20c651

SHA256
d18cd89b5fa617715e1501ededba04aefa88538693f19ec41edb3669758d91cc

SHA512
7ac8a356825892419590e0e8ff21fbccd84f3db9c915524c1268f3e50cf99c726371b3424ecdbb89e098c2ad2fa9b8feb498ac21dbf7ad442d54b49c1f8c650c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fb85d61-3666-4ada-a9f3-7c78b9403f6e.vbs

Filesize
726B

MD5
f152c040da0e9af1702a64c692bfdbf4

SHA1
8b1895c19cb6b065a806ac75b3944fd1dbf50268

SHA256
9cc1e3a96b780be4807bc87bb4ef8d466fbe08bb8b1b5de353e3f196bd2440c8

SHA512
451c0d8c15f75f90ee117011ea704890ab6890e5d8c744127656392c0447458fae8aa59258bf3954339894035dcd78f284a3f5840e7d29238145189660436e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\279a65d0-989d-4f86-8eda-824e12e47ed5.vbs

Filesize
726B

MD5
ce1135e587fb264c35dbaae2a6747b57

SHA1
3545ee4320fc2b1a5ec7c05be06b8974811e9c07

SHA256
5a91d3ff118fb188f21a61c324fd807dd12cffac3e229bd620227f1817384405

SHA512
3d6982d970a62e2996c7b00f94f26c2bacab1da9a8c168bbfa773ed66be2fa542be8a6fbfadec68f4bdf1afc78cbc55d4dd4def9f8eb6c1e7c9a4a90535161a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a2ea542-4777-4ced-8dbd-dc45844cd1e2.vbs

Filesize
725B

MD5
40ec9e3351ddf37e0e6376e41442c10c

SHA1
85d5c3b97df4dafefeef0f07cfd797ab858babcc

SHA256
1d4ff49d05a9806e37fe12b1be1f800593b8d6f25a544ff13b9e53b5fece67b8

SHA512
e5f9218c2846c8a8b2a31818ee4a3a1344b034cb25dbb1daa7fdb777d6c1bf9f7bc51465a2465e166d77d54ccbd783d9aee4154935b8c8adb1b684b35b646f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a1cac77-f5f9-4ea5-b6c3-7d132cf2f06d.vbs

Filesize
502B

MD5
a4f4023c7e137cbe5b412a152c8eabf3

SHA1
8fede6815256c58ea9fbb2001a49af9dc15b402e

SHA256
7d9c2e9e191f4bf78b4a49a5cab7503b54101a9bb887258addf31ec31ecf41cd

SHA512
269ebb05ff33dd99b7583ff91ee16c02e325c3bce82c1d55d7d857cc0962ab59c8dc947b4bb7b9556eba4bad71c3ba518667259aea000c14af79cac2c32b39b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e4f0eaf-01b0-452a-a8be-af0826e8135f.vbs

Filesize
726B

MD5
c87054088498f8a65593fd6e61c2a05e

SHA1
8b0fede639c74ce78de38c9df1ec0be4ee0e3944

SHA256
e966f219db8e7106bb3ef1e3ae4f6e48a915db97af20119b12df9e94c9433aaf

SHA512
03ad2d1f6e2b69d0373aa511e5c123a6d7ce8b4cc7bdbf0c43441c4c9642f01d0116553b361c041a1256861f50a64a8b9dc4ad5241f02ff844a37a93d86dcab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea37ac14-f393-4bcf-9d99-9c43826e4b2c.vbs

Filesize
726B

MD5
ff8a9e2e70872449e22bd1c365ee1967

SHA1
57681abd55edbf1668081d896188f584f97e0b40

SHA256
3ea341c7b02e8a27d73c97079f9d7946845625b6fd62360546a667e143cb116c

SHA512
0440f8ac7c839612534807b0770438cc32dbc33bd477144639d589f35e608520b12594c437f9cb3a8525f3ec544f18894e1224b0513e4a5429a0201f32fee360

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef30aac4-ace6-4f98-bbc5-37454057c8ca.vbs

Filesize
725B

MD5
ccef6f430ecf4d87419157d21e158f41

SHA1
56b094814df7fe8d7a81ceea083fe199e78ff643

SHA256
457152e571e080e8decccc2389bbef4c11b6ce7a833c2caf9cb9d85d5a9234c1

SHA512
824dbc3067895c0c40de58f789bc0ae348a4610e13553a9bbe3f3789f94886a4b77e4e9dc7d02ea3af13b9ac50221d7a991fa4913e5fd8d91f7e428f6d0daa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2afbc34-c039-4afd-a5c8-d0a54c3e87f0.vbs

Filesize
726B

MD5
e62177f06138f88ca193b91f73adc412

SHA1
1d89622df0dd0fe253b9bf02e68d93a16cf3a884

SHA256
b35f335d892ff589bcee99b100dad1d95ff29eb45a2ccdb7dcf2fddf3652b430

SHA512
672fbbe11e346ff5b7a9418c458dfc7a76a8481a1756b4cf760440a0aa8603bcc73a931bd2eee5cc6084fa6ae3519278a088cb237d7f1df5406fdebb738f44dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lJwS3LgKwS.bat

Filesize
215B

MD5
cc54c3a6553942dd21988a444f081ac7

SHA1
e9727fcea4797f2192df84a149dc0ec3ddc741f2

SHA256
83514c5736a7c3da16a3e29264d61a1772e948ced73dc8c2c620fac053038621

SHA512
38bebc8df879d7474e3ecfcda7a8fa22d6eda6e527fe3c03cbca66a12682e00f48dfd19639cb931d0ad8b0c7b565035b9c4bc0741463b432b06064d7a3b00e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3562.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d110237bdcc06c637d12b750bc2bcc0f

SHA1
8c8b51e5526a49fe20fa4a4137c62f9e37bfae3a

SHA256
9b65548d1ee37ba24dd063f4e123b9d82736f53e7355fd08cb335463cc3d1570

SHA512
1e42e5eb9edf4f6088535199f276ceec45fadc7f9f947dfd5eff8a4fb8c99573b3d012d511e54c2fcebdbbdf7793845a380abfa41b8f89d5ed30b8664797a565

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/604-301-0x0000000000AD0000-0x0000000000FC4000-memory.dmp

Filesize
5.0MB

Download
memory/996-316-0x0000000001270000-0x0000000001764000-memory.dmp

Filesize
5.0MB

Download
memory/996-317-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/1520-258-0x0000000001250000-0x0000000001744000-memory.dmp

Filesize
5.0MB

Download
memory/1836-200-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1836-199-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2328-361-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2328-360-0x00000000012C0000-0x00000000017B4000-memory.dmp

Filesize
5.0MB

Download
memory/2480-198-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2480-10-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/2480-155-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2480-140-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

Filesize
4KB

Download
memory/2480-16-0x00000000025B0000-0x00000000025BC000-memory.dmp

Filesize
48KB

Download
memory/2480-15-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2480-14-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2480-13-0x0000000000A80000-0x0000000000A8E000-memory.dmp

Filesize
56KB

Download
memory/2480-1-0x0000000000B90000-0x0000000001084000-memory.dmp

Filesize
5.0MB

Download
memory/2480-12-0x0000000000A70000-0x0000000000A7E000-memory.dmp

Filesize
56KB

Download
memory/2480-11-0x0000000000A60000-0x0000000000A6A000-memory.dmp

Filesize
40KB

Download
memory/2480-0-0x000007FEF5BE3000-0x000007FEF5BE4000-memory.dmp

Filesize
4KB

Download
memory/2480-9-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/2480-8-0x0000000000790000-0x00000000007A0000-memory.dmp

Filesize
64KB

Download
memory/2480-7-0x0000000000770000-0x0000000000786000-memory.dmp

Filesize
88KB

Download
memory/2480-6-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2480-5-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2480-4-0x00000000005A0000-0x00000000005BC000-memory.dmp

Filesize
112KB

Download
memory/2480-3-0x000000001B430000-0x000000001B55E000-memory.dmp

Filesize
1.2MB

Download
memory/2480-2-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-286-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download