dcrat | 7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Size

4.9MB
MD5

ae0ba9569cf7c10b38e333294ecd7e70
SHA1

ea845af8e5d2a2faee5881f904e79f6316e461dd
SHA256

7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05
SHA512

b9959a49727c1867aeb71d71c9b26cbf0094bb6a310dec981f110d09d9b2aa3d33b9800ae6736cd66c51720ae76d0b6b5887e138377429f6aea6c142b247bd2d
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2716	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2416-3-0x000000001B660000-0x000000001B78E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2328	powershell.exe
740	powershell.exe
3004	powershell.exe
2288	powershell.exe
1928	powershell.exe
2588	powershell.exe
1152	powershell.exe
2276	powershell.exe
2460	powershell.exe
1420	powershell.exe
2076	powershell.exe
884	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

pid	Process
2120	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
3016	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
2656	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
2936	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
1452	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
936	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
1544	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
2288	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
1412	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

Drops file in Program Files directory 16 IoCs

Processes:

7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXC6ED.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXCAF5.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\429bc17f69c426	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Mozilla Firefox\fonts\lsass.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\Idle.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\6ccacd8608530f	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Windows Media Player\de-DE\429bc17f69c426	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Windows Media Player\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\Mozilla Firefox\fonts\6203df4a6bafc7	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RCXC074.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCXC2E5.tmp	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\lsass.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
File created	C:\Program Files\VideoLAN\VLC\locale\Idle.exe	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2884	schtasks.exe
2664	schtasks.exe
2700	schtasks.exe
2912	schtasks.exe
2852	schtasks.exe
764	schtasks.exe
576	schtasks.exe
2172	schtasks.exe
2364	schtasks.exe
2264	schtasks.exe
660	schtasks.exe
2012	schtasks.exe
2940	schtasks.exe
2140	schtasks.exe
796	schtasks.exe
2868	schtasks.exe
2652	schtasks.exe
2784	schtasks.exe
1532	schtasks.exe
2792	schtasks.exe
2904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

pid	Process
2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
1420	powershell.exe
2460	powershell.exe
1152	powershell.exe
3004	powershell.exe
2288	powershell.exe
740	powershell.exe
884	powershell.exe
1928	powershell.exe
2076	powershell.exe
2276	powershell.exe
2328	powershell.exe
2588	powershell.exe
2120	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
3016	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
2656	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
2936	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
1452	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
936	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
1544	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
2288	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
1412	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2120	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Token: SeDebugPrivilege	3016	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Token: SeDebugPrivilege	2656	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Token: SeDebugPrivilege	2936	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Token: SeDebugPrivilege	1452	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Token: SeDebugPrivilege	936	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Token: SeDebugPrivilege	1544	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Token: SeDebugPrivilege	2288	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Token: SeDebugPrivilege	1412	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.execmd.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exeWScript.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exeWScript.exe7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

description	pid	Process	procid_target
PID 2416 wrote to memory of 1420	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	53
PID 2416 wrote to memory of 1420	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	53
PID 2416 wrote to memory of 1420	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	53
PID 2416 wrote to memory of 2288	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	54
PID 2416 wrote to memory of 2288	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	54
PID 2416 wrote to memory of 2288	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	54
PID 2416 wrote to memory of 1928	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	55
PID 2416 wrote to memory of 1928	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	55
PID 2416 wrote to memory of 1928	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	55
PID 2416 wrote to memory of 2588	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	56
PID 2416 wrote to memory of 2588	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	56
PID 2416 wrote to memory of 2588	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	56
PID 2416 wrote to memory of 2076	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	57
PID 2416 wrote to memory of 2076	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	57
PID 2416 wrote to memory of 2076	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	57
PID 2416 wrote to memory of 2328	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	58
PID 2416 wrote to memory of 2328	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	58
PID 2416 wrote to memory of 2328	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	58
PID 2416 wrote to memory of 740	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	59
PID 2416 wrote to memory of 740	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	59
PID 2416 wrote to memory of 740	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	59
PID 2416 wrote to memory of 884	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	60
PID 2416 wrote to memory of 884	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	60
PID 2416 wrote to memory of 884	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	60
PID 2416 wrote to memory of 1152	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	61
PID 2416 wrote to memory of 1152	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	61
PID 2416 wrote to memory of 1152	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	61
PID 2416 wrote to memory of 2276	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	62
PID 2416 wrote to memory of 2276	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	62
PID 2416 wrote to memory of 2276	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	62
PID 2416 wrote to memory of 2460	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	63
PID 2416 wrote to memory of 2460	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	63
PID 2416 wrote to memory of 2460	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	63
PID 2416 wrote to memory of 3004	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	64
PID 2416 wrote to memory of 3004	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	64
PID 2416 wrote to memory of 3004	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	64
PID 2416 wrote to memory of 3020	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	72
PID 2416 wrote to memory of 3020	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	72
PID 2416 wrote to memory of 3020	2416	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	72
PID 3020 wrote to memory of 2792	3020	cmd.exe	79
PID 3020 wrote to memory of 2792	3020	cmd.exe	79
PID 3020 wrote to memory of 2792	3020	cmd.exe	79
PID 3020 wrote to memory of 2120	3020	cmd.exe	80
PID 3020 wrote to memory of 2120	3020	cmd.exe	80
PID 3020 wrote to memory of 2120	3020	cmd.exe	80
PID 2120 wrote to memory of 1356	2120	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	81
PID 2120 wrote to memory of 1356	2120	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	81
PID 2120 wrote to memory of 1356	2120	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	81
PID 2120 wrote to memory of 1728	2120	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	82
PID 2120 wrote to memory of 1728	2120	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	82
PID 2120 wrote to memory of 1728	2120	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	82
PID 1356 wrote to memory of 3016	1356	WScript.exe	83
PID 1356 wrote to memory of 3016	1356	WScript.exe	83
PID 1356 wrote to memory of 3016	1356	WScript.exe	83
PID 3016 wrote to memory of 800	3016	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	84
PID 3016 wrote to memory of 800	3016	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	84
PID 3016 wrote to memory of 800	3016	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	84
PID 3016 wrote to memory of 264	3016	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	85
PID 3016 wrote to memory of 264	3016	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	85
PID 3016 wrote to memory of 264	3016	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	85
PID 800 wrote to memory of 2656	800	WScript.exe	86
PID 800 wrote to memory of 2656	800	WScript.exe	86
PID 800 wrote to memory of 2656	800	WScript.exe	86
PID 2656 wrote to memory of 2992	2656	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe	87

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
"C:\Users\Admin\AppData\Local\Temp\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PC7CVf0dwd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2792
- - C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
    "C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2120
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa3522bb-d8aa-42d4-b8f7-71a2379e2bfd.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3016
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a06d064-e4f2-4b2c-ab45-df2c060e012c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2311777f-1e9a-4d5c-a8cf-4dd9278d2684.vbs"
        8⤵
        
        PID:2992
        
        C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0d65430-727a-4c70-9b0e-3f9d59bb4088.vbs"
        10⤵
        
        PID:2736
        
        C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cedc9ee-c2cb-432f-a58a-7bc995ccb126.vbs"
        12⤵
        
        PID:2188
        
        C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2d042a2-88f8-4b2f-bbcd-78f067218b7d.vbs"
        14⤵
        
        PID:1888
        
        C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8dd48e0-67e5-4676-8d1b-a26f6ab9eee9.vbs"
        16⤵
        
        PID:1956
        
        C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c889c7b3-07d9-4828-b747-43f765216114.vbs"
        18⤵
        
        PID:2780
        
        C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1b07dc7-d2d1-4833-a63e-5c1b39e39e80.vbs"
        18⤵
        
        PID:764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9389468-c8b5-4930-9d03-ea3c0c2bedae.vbs"
        16⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3dfc9eb-4f42-4fe4-8c68-91584419b85e.vbs"
        14⤵
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5327b44f-ceaa-45c9-b11f-2416653d1e24.vbs"
        12⤵
        
        PID:1900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a880b4aa-3958-42cb-92a5-cd022609300b.vbs"
        10⤵
        
        PID:2256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ecf998e-6752-40c3-ba04-cabeebcd2c45.vbs"
        8⤵
        
        PID:2660
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\911d506e-bc09-4a7a-aff1-4f2b425c44b8.vbs"
        6⤵
        
        PID:264
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\307cd182-6108-4f0d-9cb2-4ba361861f9f.vbs"
      4⤵
      PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N7" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N7" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N7" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N7" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N7" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N" /sc ONLOGON /tr "'C:\Users\Default\Downloads\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N7" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\locale\Idle.exe

Filesize
4.9MB

MD5
71f1bebc23e727090b1baef7cad78d6b

SHA1
1a1744beabec83eb55cb1b08e22c6b7642ec49ba

SHA256
e89e518d67b1ec0801dceb70053b85719833d5fafec5b626f1f85905ee38ac84

SHA512
804ffedc56b80ad2692d39c9c8319c5d8eddf9274bdf827c67b61a40278fed894b2dd63cbe78e4b1e1cf2b2015221d22e15129f0c0ee5a6f09a49f66b774e030

Download Submit
C:\Program Files\Windows Photo Viewer\de-DE\7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05N.exe

Filesize
4.9MB

MD5
ae0ba9569cf7c10b38e333294ecd7e70

SHA1
ea845af8e5d2a2faee5881f904e79f6316e461dd

SHA256
7c2553e0b991923e0c4aa1410cf06cb686a455c5ea2867fc00778da787f8dc05

SHA512
b9959a49727c1867aeb71d71c9b26cbf0094bb6a310dec981f110d09d9b2aa3d33b9800ae6736cd66c51720ae76d0b6b5887e138377429f6aea6c142b247bd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a06d064-e4f2-4b2c-ab45-df2c060e012c.vbs

Filesize
789B

MD5
446925b2f0fe03314107e8d59dbb5e3b

SHA1
7de114c5a26ef3dfa31c08f84d9bed9b661a10c3

SHA256
d69db9f8857f835a3ffb059c45f8429c964d83d0da9be832d8d458c3dae64cb3

SHA512
15f84228b9bc7eaa9ee0c17712d0cf6dd97d7245d82656a406d4c45713a00a1bb26ef7a5d179eadca8e87c46d00074391e0f8d8e12f59e1710804488b8429c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\2311777f-1e9a-4d5c-a8cf-4dd9278d2684.vbs

Filesize
789B

MD5
b53acdc41858f1976d185c7436e82a2e

SHA1
1bfaa0da0c5fef7306ad0e4c1fff2ac173d2483c

SHA256
4c0eaf973eb28d92dd0446be448fcd46f912a6a9bc5bacc1c448d7641d34c274

SHA512
57b744eab242b7234a14a25399a8872bbf661f4cffede5abbc8a4783a696ec4537ad5784c0b10831f1238d18e56a7c8861bf3a52da27bc44e244675aa62ad4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\307cd182-6108-4f0d-9cb2-4ba361861f9f.vbs

Filesize
565B

MD5
011863c9dc60bc142312a34a711fe6a2

SHA1
b93ab0e84a0a00db4fa6a852b9c405dfb0f68479

SHA256
aadb32b0a945bf59b5a498f46f7da137859068456b189b91aba394a90c0c4ba6

SHA512
fd6c2d09e2c6dc0ef6b311203dcb6363fc7ef583437d6a2be227dd78c41d4724ceec75f82d1ae025d77ddedaab94e9673421391e70b563ff1d8fe453fbeff351

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cedc9ee-c2cb-432f-a58a-7bc995ccb126.vbs

Filesize
789B

MD5
3a9d13ca1db86b43aa369b82557b750f

SHA1
b864d39489f41ddbcb67a343e607694c4c7bc8b1

SHA256
97040dfb560f0f6d074a702b1a26e61f3152e7e1c441c8868941b2ab4be2d952

SHA512
e200be4ada89c995a66d0af196322fa06f4d3b9c4ad5a2987e4ac106e7ac77ff77817f8fe47216bac99e256c4656327422e9203c8b8d7911ae14e7de55a0fdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PC7CVf0dwd.bat

Filesize
278B

MD5
ce3861a0557fa0264ff818d54dc71428

SHA1
871dd5851ca2353a525b0af9d8d1d3a2c6144eeb

SHA256
7c3738bb1a745cd60deeb598baac1d8b95b2e81cbea5f9cee2950ef5ad223848

SHA512
a8b88bce96244279bef3721f9ff9fbb34eb8f559b671680b0f699615ed9eca4ba4aa9a63d3d1802d2db4dcbf4e7c94688f0b5eb0165baa1291099cc2da037296

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0d65430-727a-4c70-9b0e-3f9d59bb4088.vbs

Filesize
789B

MD5
841584dc69ae006f0e6dff1359c39067

SHA1
3357c30aac1c1570e9aafc2c2fa880e411a1f6fa

SHA256
79853a5a947a3d06d310bf2a01026b7b3fb8e6b1f1641470e261be0d0d330909

SHA512
c40e5c0f7fed2a4b801e2db8355eafa72702784ab1f52609c6e4a38073ecb3c2744fd699b99524780e862c92a8b41859bc70af9526f6b073bcebfbd56f20a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8dd48e0-67e5-4676-8d1b-a26f6ab9eee9.vbs

Filesize
789B

MD5
dc7e4bcf77b2dfdc6eaa5a41bd3c98d7

SHA1
d67969807209b071b31db341fd3f76070dbba1eb

SHA256
b9a7fec928b56e93f51aea33d656cc50ce70aaf5eb9fccfe4669da4c4b2ce55c

SHA512
ef2c8ea9a57e0e133253d3d2a6b6a7a2226b1e1115e0792ee61d77618b5b6cbda89709ee039e21c54ef183803ae6d7e5e8325cdffc6c32a36ef89c80ec2194f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c889c7b3-07d9-4828-b747-43f765216114.vbs

Filesize
789B

MD5
5eeb3b8fc5b25688b2b1f01291f2ae13

SHA1
d8be12c7ad7205a14daacbd0ded2410d0d41a7df

SHA256
d5660fae2c4c2f738725b13f70c2cda3d056581d8e197590c4ae238704dbe22a

SHA512
0d5568cd7c2ed0c34cd9b428a8a87cdc59cfb1809559dd4bfbcf888333f387576528263b8f2c8e25c670a587d5da2f1e158aaf3bd253d8ae64f612d5cd6829dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d042a2-88f8-4b2f-bbcd-78f067218b7d.vbs

Filesize
788B

MD5
45bcff3402599e932c5d944dd7bb27ac

SHA1
1bd4714fe70777c91dc7f665c928751b40a363c1

SHA256
d5a822aa7e8cabb02b8a1ea63da7746176e8873b0ec0edcfe76a97b9b1950b82

SHA512
60e9dbe3fb38862f733c28489a39c05673a03f3cd1fdbaa58c1859c815b7325ac4636b081b68f321264a1b1580474e736a97710973e3e462f73525974f08eb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa3522bb-d8aa-42d4-b8f7-71a2379e2bfd.vbs

Filesize
789B

MD5
9176a19353ab7c7f90277a8df0e3b3f0

SHA1
a2d318bc85936242500426a33c7fd0a68bfdc5e6

SHA256
00de968757afebfde3d8dffe1b313c80d59ead6aa3c67ae1eb40cd753edd7139

SHA512
c9c2e93b7b108fc2108ab54fdf01f6080f2f619c40a2fcf3a98d5a99d0988ee56da8170f19e72144b71aaa11648e93f23b9caeea15b254abd90782acfc86b199

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF40F.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0b2a37fdfd95d41e002f3ebe7c19fcec

SHA1
37183bb2ba90bb46f278c6a1a55a4e2d2b7e7853

SHA256
5d21f1d2f6b5d041743c54f57629b7b6d3feb46709a30ded5f73256e820051ab

SHA512
66ef38eb8f19702b85811bf482d5e31d0086262aaeb8416a04d28e76c2c26d614d56e68677405e7ece82a0d5f613bab84f56ba1c7d37dca584576a594a8bd59f

Download Submit
memory/936-224-0x0000000000190000-0x0000000000684000-memory.dmp

Filesize
5.0MB

Download
memory/1412-269-0x0000000000080000-0x0000000000574000-memory.dmp

Filesize
5.0MB

Download
memory/1420-98-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1420-111-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1544-239-0x0000000000990000-0x0000000000E84000-memory.dmp

Filesize
5.0MB

Download
memory/2120-151-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/2120-150-0x0000000000AD0000-0x0000000000FC4000-memory.dmp

Filesize
5.0MB

Download
memory/2288-254-0x0000000000D00000-0x00000000011F4000-memory.dmp

Filesize
5.0MB

Download
memory/2416-6-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2416-87-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-14-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2416-0-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmp

Filesize
4KB

Download
memory/2416-12-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/2416-11-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/2416-10-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2416-1-0x0000000001300000-0x00000000017F4000-memory.dmp

Filesize
5.0MB

Download
memory/2416-9-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/2416-2-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-8-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2416-16-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/2416-7-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2416-15-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2416-5-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2416-4-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/2416-13-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/2416-3-0x000000001B660000-0x000000001B78E000-memory.dmp

Filesize
1.2MB

Download
memory/2656-180-0x0000000000AB0000-0x0000000000FA4000-memory.dmp

Filesize
5.0MB

Download
memory/2936-195-0x00000000011B0000-0x00000000016A4000-memory.dmp

Filesize
5.0MB

Download
memory/3016-165-0x00000000001E0000-0x00000000006D4000-memory.dmp

Filesize
5.0MB

Download