dcrat | bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Size

4.9MB
MD5

a521b23108ca72a0a8e837bb4bc6c309
SHA1

a80623d726004b9c0086377c19f822a67af0c490
SHA256

bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec
SHA512

33835665ab96cb1d5ffe46fa6706e519c8314c6280967c18a265d1ceaae625691c3a65cc90a15cac48386a22162aa9631fcc0024360fff6970a76ed98cc0d21e
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8r:j

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2832	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2832	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1988-2-0x000000001B160000-0x000000001B28E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1832	powershell.exe
1156	powershell.exe
584	powershell.exe
3032	powershell.exe
2984	powershell.exe
2860	powershell.exe
3024	powershell.exe
2804	powershell.exe
3068	powershell.exe
2872	powershell.exe
1056	powershell.exe
2864	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1512	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
264	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2068	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2904	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
1932	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
3028	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
960	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
1712	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
1116	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2028	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2424	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2752	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\886983d96e3d3e	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCXBB95.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\AppPatch64\lsass.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Windows\AppPatch\AppPatch64\6203df4a6bafc7	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\RCXB720.tmp	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
File created	C:\Windows\AppPatch\AppPatch64\lsass.exe	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2176	schtasks.exe
2972	schtasks.exe
2636	schtasks.exe
2656	schtasks.exe
2632	schtasks.exe
2352	schtasks.exe
2824	schtasks.exe
2788	schtasks.exe
1588	schtasks.exe
1008	schtasks.exe
2844	schtasks.exe
600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
1156	powershell.exe
2804	powershell.exe
1056	powershell.exe
2984	powershell.exe
3024	powershell.exe
3032	powershell.exe
584	powershell.exe
2872	powershell.exe
2864	powershell.exe
3068	powershell.exe
1832	powershell.exe
2860	powershell.exe
1512	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
264	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2068	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2904	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
1932	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
3028	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
960	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
1712	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
1116	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2028	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2424	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
2752	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1512	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	264	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	2068	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	2904	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	1932	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	3028	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	960	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	1712	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	1116	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	2028	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	2424	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Token: SeDebugPrivilege	2752	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3068	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	43
PID 1988 wrote to memory of 3068	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	43
PID 1988 wrote to memory of 3068	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	43
PID 1988 wrote to memory of 3032	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	44
PID 1988 wrote to memory of 3032	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	44
PID 1988 wrote to memory of 3032	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	44
PID 1988 wrote to memory of 2984	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	45
PID 1988 wrote to memory of 2984	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	45
PID 1988 wrote to memory of 2984	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	45
PID 1988 wrote to memory of 2860	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	46
PID 1988 wrote to memory of 2860	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	46
PID 1988 wrote to memory of 2860	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	46
PID 1988 wrote to memory of 2872	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	47
PID 1988 wrote to memory of 2872	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	47
PID 1988 wrote to memory of 2872	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	47
PID 1988 wrote to memory of 1056	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	48
PID 1988 wrote to memory of 1056	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	48
PID 1988 wrote to memory of 1056	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	48
PID 1988 wrote to memory of 2864	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	49
PID 1988 wrote to memory of 2864	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	49
PID 1988 wrote to memory of 2864	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	49
PID 1988 wrote to memory of 3024	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	50
PID 1988 wrote to memory of 3024	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	50
PID 1988 wrote to memory of 3024	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	50
PID 1988 wrote to memory of 1832	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	51
PID 1988 wrote to memory of 1832	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	51
PID 1988 wrote to memory of 1832	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	51
PID 1988 wrote to memory of 1156	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	52
PID 1988 wrote to memory of 1156	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	52
PID 1988 wrote to memory of 1156	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	52
PID 1988 wrote to memory of 584	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	53
PID 1988 wrote to memory of 584	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	53
PID 1988 wrote to memory of 584	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	53
PID 1988 wrote to memory of 2804	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	54
PID 1988 wrote to memory of 2804	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	54
PID 1988 wrote to memory of 2804	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	54
PID 1988 wrote to memory of 1512	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	67
PID 1988 wrote to memory of 1512	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	67
PID 1988 wrote to memory of 1512	1988	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	67
PID 1512 wrote to memory of 2636	1512	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	68
PID 1512 wrote to memory of 2636	1512	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	68
PID 1512 wrote to memory of 2636	1512	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	68
PID 1512 wrote to memory of 2072	1512	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	69
PID 1512 wrote to memory of 2072	1512	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	69
PID 1512 wrote to memory of 2072	1512	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	69
PID 2636 wrote to memory of 264	2636	WScript.exe	71
PID 2636 wrote to memory of 264	2636	WScript.exe	71
PID 2636 wrote to memory of 264	2636	WScript.exe	71
PID 264 wrote to memory of 1004	264	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	72
PID 264 wrote to memory of 1004	264	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	72
PID 264 wrote to memory of 1004	264	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	72
PID 264 wrote to memory of 1824	264	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	73
PID 264 wrote to memory of 1824	264	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	73
PID 264 wrote to memory of 1824	264	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	73
PID 1004 wrote to memory of 2068	1004	WScript.exe	74
PID 1004 wrote to memory of 2068	1004	WScript.exe	74
PID 1004 wrote to memory of 2068	1004	WScript.exe	74
PID 2068 wrote to memory of 1032	2068	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	75
PID 2068 wrote to memory of 1032	2068	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	75
PID 2068 wrote to memory of 1032	2068	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	75
PID 2068 wrote to memory of 1744	2068	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	76
PID 2068 wrote to memory of 1744	2068	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	76
PID 2068 wrote to memory of 1744	2068	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe	76
PID 1032 wrote to memory of 2904	1032	WScript.exe	77

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
"C:\Users\Admin\AppData\Local\Temp\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
  "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1512
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32789cc1-8c77-47d9-9ff9-f763d115c2c2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
      "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:264
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8fda795-fd43-435e-9272-cc89e61fe819.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
      - C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
        
        "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\124bbc88-47c4-4f2b-8cd4-50ff25e272f3.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
        
        "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\336bbe63-d151-4a8d-93f8-7ba5c1a14cad.vbs"
        9⤵
        
        PID:1396
        
        C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
        
        "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d5bbde0-9118-4d95-87ae-429f4e535155.vbs"
        11⤵
        
        PID:2824
        
        C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
        
        "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\738e7c2a-124d-415d-aa6c-cacaefadd39d.vbs"
        13⤵
        
        PID:1716
        
        C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
        
        "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\325676a7-7e31-4fb5-9c7f-587cff353d80.vbs"
        15⤵
        
        PID:2776
        
        C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
        
        "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a32181fe-2d17-4e70-819c-1f6103eaaf41.vbs"
        17⤵
        
        PID:2180
        
        C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
        
        "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb1cb98-cbd1-4069-a842-e2d1bba6c61d.vbs"
        19⤵
        
        PID:1764
        
        C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
        
        "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd3f1e79-1163-40e6-94cd-22a237b084a0.vbs"
        21⤵
        
        PID:1576
        
        C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
        
        "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d96886f7-792a-4642-95e3-41e7b002388c.vbs"
        23⤵
        
        PID:1864
        
        C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe
        
        "C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe"
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d02cfb1-f206-4744-b234-956a52f42720.vbs"
        25⤵
        
        PID:596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e49e9830-6319-4fe1-bc9e-3c956de4ebfa.vbs"
        25⤵
        
        PID:1720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\430b9f43-23de-49f0-8f1c-8104f534084e.vbs"
        23⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b9d3347-65a9-4d68-ab8f-e33875f4c020.vbs"
        21⤵
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05c23a15-97dd-4683-b628-6a03518a1484.vbs"
        19⤵
        
        PID:1392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5032e8fc-1f24-4738-9c2f-76325aed07ea.vbs"
        17⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f19d69d-aa52-4153-9b07-b573c50e3713.vbs"
        15⤵
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\616f9c61-8a5d-4f81-b2e7-452117960ab1.vbs"
        13⤵
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f576dedc-e0be-44ce-941b-419ae1d576d1.vbs"
        11⤵
        
        PID:328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a31191b-7885-462e-84e6-8f3ad9045815.vbs"
        9⤵
        
        PID:336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0eeefb3b-7b98-450e-8559-27153c16d8e4.vbs"
        7⤵
        
        PID:1744
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae881cbc-cce5-478f-b6ca-fc61e5ad6e9c.vbs"
        5⤵
        
        PID:1824
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97dd9aaa-337b-4502-bedb-819407e3f7e0.vbs"
    3⤵
    PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\AppPatch64\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\AppPatch64\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ecb" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec" /sc ONLOGON /tr "'C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ecb" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d5bbde0-9118-4d95-87ae-429f4e535155.vbs

Filesize
766B

MD5
e7838ec92320178404186ba0148c99eb

SHA1
9d20233878f5bedeafd95c1a2611397e640aa8b9

SHA256
60f16d3bed7f0e82d7b35845d044695f2dee13de87f30a43d9b1665dcfec7e68

SHA512
f59a3cd10ef9b56bee3c6b096f1c8082d36f81fde799e674b2aeb501059ac915a009211846d76093d035648893979b134cf19b9dff2c122df76c12094a974a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fb1cb98-cbd1-4069-a842-e2d1bba6c61d.vbs

Filesize
766B

MD5
d2cd594db4316dfb67de4d4244b32164

SHA1
1e7ee0cdea18f530598d99bb2afaeef9061587ad

SHA256
ee89a82cc3fb0c04d67079e7295ce6ec3d10bbd1248f81cc62f050f58bd438d1

SHA512
0fa2c27a20ff02a6f59a8e601bae421e9985f9a8720e11bf13474e3b9938eb7705c8e3edf4b07ed5641bd6682182a94ea0cedef01b87bed1f311235a0f79b6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\124bbc88-47c4-4f2b-8cd4-50ff25e272f3.vbs

Filesize
766B

MD5
c98d5bdf5ba7e10fb7a186149b240ccf

SHA1
db7558f685de4618fd087153486ceee32cfcc356

SHA256
252f5b8c2af7327c18971acc59cccc260981f4418de08e6c084011272a029db7

SHA512
4746189c5a59a1faa31d1ddda0f068895435350806fb51afb05896e66ae6c0f3fd7c7c24f3b47b9bb8cb001979affd2eb7ba25144e6e9c5653701b504b9346fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d02cfb1-f206-4744-b234-956a52f42720.vbs

Filesize
766B

MD5
6fd54aa3164f8ef560c959d1ddd47187

SHA1
fa2cc8160a8bc6e0a117e49a9e7bf7e4795d5505

SHA256
3ceb98693510dfb09f7cc18b5238928d6be2ff3f4d9b286ec135501503380709

SHA512
5e6a4d03c876efdbb32730113b7cab16838d8af21f5ab646d4a10ee444a20cfd083694c0fd4047d43486911f1c6389cda509bb80cdc500c690e7f57dd8503d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\325676a7-7e31-4fb5-9c7f-587cff353d80.vbs

Filesize
765B

MD5
bd1f79f31cc136328b7728155f68e443

SHA1
c5ebc9a6af81a11a63c2b75763b6f6789ae7ecd9

SHA256
89092ce4b13816dc4b321ef7899bcd6a1199e340b8c906976a7647362aacb9a2

SHA512
9d78bee7b1473aa104396a364a59a28a2a24a952e3a7141173bfdaacc4ca0d2f4c157176d72dfa594ede7e6a31e77cc97f9c27a6ea790e1c1a7fc9eb2ed0fb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\32789cc1-8c77-47d9-9ff9-f763d115c2c2.vbs

Filesize
766B

MD5
77f8a9fa2c4c9c9260491e928d8e7bd4

SHA1
731635f63849397b9bcf6fd6bf018d47e8b77566

SHA256
e3a92edacf080640486aeb88f126d495769c6e9db4983c1ded5e9d9d69d44e69

SHA512
0321cc672113ba664476967852d061caf5d2f5c976a6846d7ca61a46759449adfdff78dce84adfede9d99d4c91afb7a9c4c3f5130adddbe8ca27d229bb7c1f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\336bbe63-d151-4a8d-93f8-7ba5c1a14cad.vbs

Filesize
766B

MD5
84466945dea14da4ac759e62b90cebe6

SHA1
53c4ab51fa248ffa8221aae535e86ad5e2f5eaa2

SHA256
7f1190523eec34acb6f0e8f827b9f6a241b478a2d42bd02de46d6faa3f192f40

SHA512
40e4130b88eb49c00816cc7742a04a1aa179fea991c03671edea0c002b974ac74c9ee14fa36b47d41005944149d14742c54932bc23296f5c6a2b47b4b3c3433e

Download Submit
C:\Users\Admin\AppData\Local\Temp\738e7c2a-124d-415d-aa6c-cacaefadd39d.vbs

Filesize
766B

MD5
f4355a6e8558852a8bad18ddaebfc671

SHA1
6c54dac1085fa59a4e560af2849809ff99461d63

SHA256
1c2f365bd91b732b69eb473bd0d31026f7247e76fd5136b55ff14865a972c943

SHA512
9cb2cdf99e7d30e7149f77ca1f80497ea27332068a7ef5f3d225601384089ad36ce70c9b7be6563179c0f329952ccb6dc94b1990fa4452a0cca54cb85c11632f

Download Submit
C:\Users\Admin\AppData\Local\Temp\97dd9aaa-337b-4502-bedb-819407e3f7e0.vbs

Filesize
542B

MD5
dffdab67125e467c8f3a02234d9c55fb

SHA1
7e17728446e07f40098f22f29357397ac4995bab

SHA256
62fb24b14846faaa740b889b8a47057d59f670637c6e00ec4bad5d92997e13bc

SHA512
8b0cffeb7384c5db1264836f9b5eb31c98c03e5ac72a99c7c328d49daccfa6cb779a13e4d36d4c3d08b1a07b53c32bf4c73bb040fd8958409a828b4a9ec48cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a32181fe-2d17-4e70-819c-1f6103eaaf41.vbs

Filesize
766B

MD5
ac24049cd64c0df37924dc30358c9867

SHA1
14633b7c6ccfa1178c454d0ab440df571f62500f

SHA256
8322b4aba5bddd44cd43e1bcfa74478642e8b89dd032c34993233e62cfddcc49

SHA512
d9e255fdf408af6320059b50b357db2130b5de9d8af3cacb1b4d5d6820a75a2b69a3eb1230abb734fe65a23e327d9ca1bb2d0b4fa6fa7b2ac9769f9628dd546c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8fda795-fd43-435e-9272-cc89e61fe819.vbs

Filesize
765B

MD5
e2332cb6a8363f8817ffb8b2cf87ecd3

SHA1
9f63fe5036588127935ee93b2f531d3b630c0067

SHA256
43a57424fc1ce1db49ec691367ecebb540e5f84a4cedaa743a236952edea1595

SHA512
971da5e4d3831dd93f0d1ac3767db9ad5d9389bab637ceebf7f2c965b906b0cc865fa224c44ddbfd0b5178f842c82fdc7ad3f4a0c4b6614272b4111bf4845fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd3f1e79-1163-40e6-94cd-22a237b084a0.vbs

Filesize
766B

MD5
db08ffe990a1b09b42b0870b52c2ac07

SHA1
defb61824340cb4bd07f3fabb649f72d9c9b09fa

SHA256
8c9767c4673ac1c108f8e68316bd17f7bf3a26ec9fbfe8f9e0bd71bef4b2c178

SHA512
3063f719bf9c35831f951e5390e6c5fb3608de1799eb434c6c5bdb26ca35cd0e1dd36b345da0b39bd0845a41cc40046b2e8f1ae11e8f45107505bb1eaaa05e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\d96886f7-792a-4642-95e3-41e7b002388c.vbs

Filesize
766B

MD5
55ba01cea78886687155b9bec2aa98ac

SHA1
5c87d5612f41702debec7e59b4ae53e6fb057be4

SHA256
7ecb2ee5c5f5c26ac384d16de32efb79eeffb1dbfe2b7ec77632e64e11ae4830

SHA512
31c2895bc85dbbc6e79d09988372f7ee1236a7ec8994d95429a47996409866c21a490693b0ad7cf6a4aa46bfc8ae857514bbb89cb4b6a452165a24b1fb6634ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCF9E.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e271a8d9f54fd2aa88120ef24daf4f3

SHA1
98daf76676e6228ca51f4a9615b000dd7de22679

SHA256
6fd343b53e9a01b9bc1acf407d6805fdd25d484ff8ca2e9264db8f0034c63738

SHA512
ec73d0022d14fd3aab7c9150d3f1dbecddd760fa44a46851a18b5be89847ba2efd9128637ca6ddef3cfa86b13b34076504c23558164f2eb0029cce8315fa6352

Download Submit
C:\Users\Default\bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec.exe

Filesize
4.9MB

MD5
ddddb3ecff4947efba41409aaaefc98f

SHA1
d91bcc91f9ffcdac68565a18b8d2376aaa63fdc1

SHA256
d2c9301969db7b3fe503b1e0bb2712aaa8826380df6f5f7bd93bf7ba7792340c

SHA512
2fc72d2fec495e165dcc714e4f520fce49886b1c98303adb41057576f9f6bdf9e99a2ce1d81a6da1226453bb8bc801a8f8bb71f132fc79b6bf6459a7a0ccb720

Download Submit
C:\Windows\AppPatch\AppPatch64\lsass.exe

Filesize
4.9MB

MD5
a521b23108ca72a0a8e837bb4bc6c309

SHA1
a80623d726004b9c0086377c19f822a67af0c490

SHA256
bd501e7aaaa5408118d4d9ee82fd656b1f43473ad3dfb306f9bd2e5bd061c7ec

SHA512
33835665ab96cb1d5ffe46fa6706e519c8314c6280967c18a265d1ceaae625691c3a65cc90a15cac48386a22162aa9631fcc0024360fff6970a76ed98cc0d21e

Download Submit
memory/264-138-0x0000000001220000-0x0000000001714000-memory.dmp

Filesize
5.0MB

Download
memory/1116-243-0x0000000000F10000-0x0000000001404000-memory.dmp

Filesize
5.0MB

Download
memory/1156-70-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1156-69-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1512-123-0x0000000000240000-0x0000000000734000-memory.dmp

Filesize
5.0MB

Download
memory/1712-228-0x00000000000B0000-0x00000000005A4000-memory.dmp

Filesize
5.0MB

Download
memory/1932-183-0x0000000000910000-0x0000000000922000-memory.dmp

Filesize
72KB

Download
memory/1932-182-0x00000000000D0000-0x00000000005C4000-memory.dmp

Filesize
5.0MB

Download
memory/1988-10-0x0000000000780000-0x0000000000792000-memory.dmp

Filesize
72KB

Download
memory/1988-15-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/1988-2-0x000000001B160000-0x000000001B28E000-memory.dmp

Filesize
1.2MB

Download
memory/1988-16-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/1988-12-0x00000000007A0000-0x00000000007AE000-memory.dmp

Filesize
56KB

Download
memory/1988-3-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-11-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download
memory/1988-13-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/1988-9-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/1988-124-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1988-1-0x0000000001210000-0x0000000001704000-memory.dmp

Filesize
5.0MB

Download
memory/1988-14-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/1988-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/1988-8-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/1988-7-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download
memory/1988-6-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1988-5-0x00000000002C0000-0x00000000002C8000-memory.dmp

Filesize
32KB

Download
memory/1988-4-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2424-272-0x0000000000FF0000-0x00000000014E4000-memory.dmp

Filesize
5.0MB

Download
memory/2904-167-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/3028-199-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/3028-198-0x0000000001190000-0x0000000001684000-memory.dmp

Filesize
5.0MB

Download