dcrat | bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Size

4.9MB
MD5

1c49870cb9f2c55b6b22bd847a95cedb
SHA1

6fb3c646d41e94d57f4f0d01d853c090589514da
SHA256

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922
SHA512

969c4a8f98da747a080a3de37924aedca323733c3c412948d58036354aa78a0f8547f35dbcce8128dbc5e8db85573b791d7ccd0ebb6521351189e4f0b7393452
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8e:+

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2720	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/3052-3-0x000000001B4A0000-0x000000001B5CE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1676	powershell.exe
2596	powershell.exe
2672	powershell.exe
2896	powershell.exe
528	powershell.exe
944	powershell.exe
1752	powershell.exe
1788	powershell.exe
1240	powershell.exe
1100	powershell.exe
2856	powershell.exe
1564	powershell.exe

Executes dropped EXE 7 IoCs

Processes:

pid	Process
2376	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1132	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2796	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2476	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1604	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
3012	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1148	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Drops file in Program Files directory 20 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\07bdf79f2d1225	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Windows Mail\ja-JP\csrss.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX4AAC.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Uninstall Information\Idle.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCX5D0C.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Uninstall Information\Idle.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Uninstall Information\6ccacd8608530f	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\csrss.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX51A1.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX55D8.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Windows Mail\ja-JP\886983d96e3d3e	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\WmiPrvSE.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Windows Mail\ja-JP\RCX4F7E.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\WmiPrvSE.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\24dbde2999530e	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\886983d96e3d3e	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Drops file in Windows directory 12 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

description	ioc	Process
File opened for modification	C:\Windows\security\ApplicationId\PolicyManagement\RCX485A.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\schemas\RCX5F9C.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\07bdf79f2d1225	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\RCX4608.tmp	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\schemas\27d1bcfc3c54e0	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\security\ApplicationId\PolicyManagement\csrss.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File opened for modification	C:\Windows\schemas\System.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\security\ApplicationId\PolicyManagement\csrss.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\security\ApplicationId\PolicyManagement\886983d96e3d3e	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
File created	C:\Windows\schemas\System.exe	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
836	schtasks.exe
2952	schtasks.exe
1864	schtasks.exe
2460	schtasks.exe
2508	schtasks.exe
2732	schtasks.exe
2352	schtasks.exe
2032	schtasks.exe
1492	schtasks.exe
2424	schtasks.exe
3020	schtasks.exe
2116	schtasks.exe
2772	schtasks.exe
2892	schtasks.exe
2800	schtasks.exe
1724	schtasks.exe
436	schtasks.exe
768	schtasks.exe
1988	schtasks.exe
2248	schtasks.exe
2148	schtasks.exe
1616	schtasks.exe
748	schtasks.exe
2624	schtasks.exe
2008	schtasks.exe
1912	schtasks.exe
1424	schtasks.exe
1168	schtasks.exe
1036	schtasks.exe
2220	schtasks.exe
2796	schtasks.exe
1428	schtasks.exe
880	schtasks.exe
1760	schtasks.exe
2916	schtasks.exe
560	schtasks.exe
2972	schtasks.exe
1612	schtasks.exe
780	schtasks.exe
2492	schtasks.exe
1816	schtasks.exe
588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

pid	Process
3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1100	powershell.exe
1564	powershell.exe
1676	powershell.exe
1788	powershell.exe
2672	powershell.exe
528	powershell.exe
1240	powershell.exe
2596	powershell.exe
1752	powershell.exe
2896	powershell.exe
2856	powershell.exe
944	powershell.exe
2376	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1132	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2796	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
2476	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1604	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
3012	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
1148	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2376	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	1132	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	2796	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	2476	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	1604	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	3012	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Token: SeDebugPrivilege	1148	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeWScript.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeWScript.exebdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exeWScript.exe

description	pid	Process	procid_target
PID 3052 wrote to memory of 1100	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	73
PID 3052 wrote to memory of 1100	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	73
PID 3052 wrote to memory of 1100	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	73
PID 3052 wrote to memory of 2596	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	74
PID 3052 wrote to memory of 2596	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	74
PID 3052 wrote to memory of 2596	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	74
PID 3052 wrote to memory of 1676	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	75
PID 3052 wrote to memory of 1676	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	75
PID 3052 wrote to memory of 1676	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	75
PID 3052 wrote to memory of 1240	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	76
PID 3052 wrote to memory of 1240	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	76
PID 3052 wrote to memory of 1240	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	76
PID 3052 wrote to memory of 1788	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	78
PID 3052 wrote to memory of 1788	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	78
PID 3052 wrote to memory of 1788	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	78
PID 3052 wrote to memory of 1752	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	80
PID 3052 wrote to memory of 1752	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	80
PID 3052 wrote to memory of 1752	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	80
PID 3052 wrote to memory of 528	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	81
PID 3052 wrote to memory of 528	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	81
PID 3052 wrote to memory of 528	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	81
PID 3052 wrote to memory of 944	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	83
PID 3052 wrote to memory of 944	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	83
PID 3052 wrote to memory of 944	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	83
PID 3052 wrote to memory of 2896	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	84
PID 3052 wrote to memory of 2896	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	84
PID 3052 wrote to memory of 2896	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	84
PID 3052 wrote to memory of 1564	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	86
PID 3052 wrote to memory of 1564	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	86
PID 3052 wrote to memory of 1564	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	86
PID 3052 wrote to memory of 2856	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	88
PID 3052 wrote to memory of 2856	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	88
PID 3052 wrote to memory of 2856	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	88
PID 3052 wrote to memory of 2672	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	90
PID 3052 wrote to memory of 2672	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	90
PID 3052 wrote to memory of 2672	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	90
PID 3052 wrote to memory of 2376	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	97
PID 3052 wrote to memory of 2376	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	97
PID 3052 wrote to memory of 2376	3052	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	97
PID 2376 wrote to memory of 2016	2376	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	98
PID 2376 wrote to memory of 2016	2376	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	98
PID 2376 wrote to memory of 2016	2376	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	98
PID 2376 wrote to memory of 1668	2376	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	99
PID 2376 wrote to memory of 1668	2376	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	99
PID 2376 wrote to memory of 1668	2376	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	99
PID 2016 wrote to memory of 1132	2016	WScript.exe	100
PID 2016 wrote to memory of 1132	2016	WScript.exe	100
PID 2016 wrote to memory of 1132	2016	WScript.exe	100
PID 1132 wrote to memory of 1036	1132	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	101
PID 1132 wrote to memory of 1036	1132	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	101
PID 1132 wrote to memory of 1036	1132	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	101
PID 1132 wrote to memory of 316	1132	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	102
PID 1132 wrote to memory of 316	1132	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	102
PID 1132 wrote to memory of 316	1132	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	102
PID 1036 wrote to memory of 2796	1036	WScript.exe	103
PID 1036 wrote to memory of 2796	1036	WScript.exe	103
PID 1036 wrote to memory of 2796	1036	WScript.exe	103
PID 2796 wrote to memory of 576	2796	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	104
PID 2796 wrote to memory of 576	2796	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	104
PID 2796 wrote to memory of 576	2796	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	104
PID 2796 wrote to memory of 2792	2796	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	105
PID 2796 wrote to memory of 2792	2796	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	105
PID 2796 wrote to memory of 2792	2796	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe	105
PID 576 wrote to memory of 2476	576	WScript.exe	106

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
"C:\Users\Admin\AppData\Local\Temp\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2376
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9873c7ae-f706-4340-8f3a-973a86f8bce2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1132
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1828d4b1-539e-4a76-8214-b14d0ca3ac03.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c82be802-16aa-432e-92cf-3335ed948564.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ab882d6-11ad-4ade-989b-91a6fcfde1d0.vbs"
        9⤵
        
        PID:1240
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0efe9dc-b337-484f-be05-714724921bf9.vbs"
        11⤵
        
        PID:2816
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1bef876-1e19-4a64-a2b1-1ce623221fa7.vbs"
        13⤵
        
        PID:2168
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdbc6c64-708e-4c10-a41b-af031892072c.vbs"
        15⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94e075e3-e6cf-4b68-80f6-f0814bc0ae3e.vbs"
        15⤵
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2583d607-a52f-48e7-a37f-0452281fbefe.vbs"
        13⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f5b9108-4436-4d22-9a6b-8db87c6b6ea5.vbs"
        11⤵
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2317c036-a0ff-4645-829b-c4b2153c8818.vbs"
        9⤵
        
        PID:780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34b1d002-866b-4692-9d01-a52511746108.vbs"
        7⤵
        
        PID:2792
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ef10c13-c507-455d-94a9-c4a03e0e609b.vbs"
        5⤵
        
        PID:316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4190c7e1-0161-48ea-9e72-d1541f5d5819.vbs"
    3⤵
    PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\PolicyManagement\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\security\ApplicationId\PolicyManagement\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922" /sc ONLOGON /tr "'C:\MSOCache\All Users\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922b" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\schemas\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\schemas\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\smss.exe

Filesize
4.9MB

MD5
1c49870cb9f2c55b6b22bd847a95cedb

SHA1
6fb3c646d41e94d57f4f0d01d853c090589514da

SHA256
bdb0b9fbd4dc7a981beee8cf746a2153d8b342e0a59eced14b28f0fceeed0922

SHA512
969c4a8f98da747a080a3de37924aedca323733c3c412948d58036354aa78a0f8547f35dbcce8128dbc5e8db85573b791d7ccd0ebb6521351189e4f0b7393452

Download Submit
C:\Users\Admin\AppData\Local\Temp\1828d4b1-539e-4a76-8214-b14d0ca3ac03.vbs

Filesize
802B

MD5
3d4cf35d06116469cca301e6eca9c2cd

SHA1
7de5fedf76beb387076d972a266049a5126c806b

SHA256
bbd36d168b0dd198891d69aca12b7bfe22d233a85adccb1d44b8781de0053008

SHA512
01fb8ce2816e24566c1514e062c060e04298404c41b636739f13750d5baecd2cbcdfcd7ade598b7a48b33dc84d2f8f1e599b823e2fcc54e3d0ff26b97db86cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4190c7e1-0161-48ea-9e72-d1541f5d5819.vbs

Filesize
578B

MD5
9db751082583a230ee2083cbee674ab1

SHA1
f2d4932f50936e401f186e4623a7241b844bab02

SHA256
bdb81782698db5fe71ce7ee7331637e625afca38f374240ec989e3693b317b50

SHA512
be886f780d2f9d71c29b103a5a77ee183c6ed32c9b8dc8562d9016500ea7fb4007e9319ca237ad18b064e9f7f2e81403337c6b5434597e1a4d469ef21013cef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ab882d6-11ad-4ade-989b-91a6fcfde1d0.vbs

Filesize
802B

MD5
ed6eecbbcd386ffaf82a927b26f9a7e1

SHA1
fc3121eb95cbd2688e57e884ab72e477ed28e318

SHA256
5bc0060a571426d636beab3bcd5f2c8d009f11fbae3bbf3236d0bf78eb84c928

SHA512
60700a40bda39cf814667f7da48883e7b7ba968e380aca85a01d6d23d178836e3b299740b0c77826fca845f1cf2d4f3a606ca258461fc8dde65ab80db2c4ab1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9873c7ae-f706-4340-8f3a-973a86f8bce2.vbs

Filesize
802B

MD5
673bff4853a7302d5886e6d29889f83b

SHA1
0cdb38d73bd019e20506639731d4a3ffac856370

SHA256
8c8948f187ea8ebdcc3390423a54e1c83b2ebba670f7defd0f5370b93bc2c7a2

SHA512
6d339f3a78d0844cbb7ad645473c2372858ceb5da73aa4e20ec65958718f27f1ad520459a7cab4cf41a0a1cff270e38b9b22563611b27948f40e1d00c59cd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0efe9dc-b337-484f-be05-714724921bf9.vbs

Filesize
802B

MD5
07955a5760ba2cc28c031c3c598e611e

SHA1
e0c43c263b2540c17ec51826c692a771736b17c0

SHA256
cc1e0790ad31bbeaa5694001cad41e547efecc022dd0f421422b7e9986cf4ef0

SHA512
8c5ec50f9f816ea5d2539adf5a3fb1705f7f622f3a36d26cf8d3d02dd5766d9cb4ce7c2c66aeb28ad289a322d10ce58ce34ffbb851540eb7c7fb70249114c464

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdbc6c64-708e-4c10-a41b-af031892072c.vbs

Filesize
802B

MD5
259122ea853060b772676b50f4bbb4dd

SHA1
93f33644b465d8a73381afeee20ac7818a7c86e7

SHA256
66ab7708b0e97d17f1c2f57b62e608dddcf06d7d8c5f913a50a795b9577740a7

SHA512
f20b026e94c0146172e501ffbfdcde0c001d2994a2f0d5a6e30607ca7f0b53aa35154ed513718c371f807fbfcfddf85322a9d584c07b1b1156d9a5ec12febd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1bef876-1e19-4a64-a2b1-1ce623221fa7.vbs

Filesize
802B

MD5
79335703077f988426ed4965cbee16cf

SHA1
cd9b6a2ba762d7c4ba05fedde0b906895852ff15

SHA256
6d194ceba08163c2549b2b338f9e705aeaea98eff4877b8cac2d684163aeb388

SHA512
45bbcaa28b81fe58ef07bf1b0b67670933470752a8de65311b1683d461004bbde7959b85484d53272e6cd23a09309f562088acec055ad7df5a35e242ed91387e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c82be802-16aa-432e-92cf-3335ed948564.vbs

Filesize
802B

MD5
89dde7d1ae86a1ea1632ef5a99bca653

SHA1
b32223b45732ebe3df715823b9ded91474e0e64c

SHA256
2bf7fc037838b529d60f32ccf7143099ab53747b5618221db23f7b2f16f9e2fe

SHA512
c637abc469bbf0532515c11a156b9029a62d14b41258525c805d632287b9b1459661911a8c56292d3072a4d9d1c66c45e30c7d915e02a514f022ba45b2e8241e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79E1.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e64f98c6ff09a8dfd9b4f74dd383192c

SHA1
e0eb69de6461faafa002b4ec9cdbbe33cba54f88

SHA256
75686cacb56df4505f0b27f6e60647186597dec88819cdfe800bd8a46a58c4b2

SHA512
c97dda3f52dc501641987bae5611da8bb678a25dd83b81ea358e44373a0cc4a150de71b7a34f54c15896d29c0637c8c88b79b5df87ab80f4ed4135b2c8f9c79f

Download Submit
memory/1100-159-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1132-205-0x00000000024C0000-0x00000000024D2000-memory.dmp

Filesize
72KB

Download
memory/1132-204-0x0000000000920000-0x0000000000E14000-memory.dmp

Filesize
5.0MB

Download
memory/1148-280-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/1564-157-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/1604-250-0x0000000000050000-0x0000000000544000-memory.dmp

Filesize
5.0MB

Download
memory/2376-183-0x0000000000850000-0x0000000000D44000-memory.dmp

Filesize
5.0MB

Download
memory/2376-190-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2476-235-0x0000000000140000-0x0000000000634000-memory.dmp

Filesize
5.0MB

Download
memory/2796-220-0x0000000000E20000-0x0000000001314000-memory.dmp

Filesize
5.0MB

Download
memory/3012-265-0x0000000000BD0000-0x00000000010C4000-memory.dmp

Filesize
5.0MB

Download
memory/3052-11-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/3052-6-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/3052-189-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-13-0x00000000009D0000-0x00000000009DE000-memory.dmp

Filesize
56KB

Download
memory/3052-9-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/3052-8-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/3052-7-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download
memory/3052-99-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-0-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/3052-10-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/3052-84-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/3052-5-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/3052-12-0x00000000009C0000-0x00000000009CE000-memory.dmp

Filesize
56KB

Download
memory/3052-4-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/3052-16-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/3052-3-0x000000001B4A0000-0x000000001B5CE000-memory.dmp

Filesize
1.2MB

Download
memory/3052-15-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/3052-2-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-14-0x0000000000C80000-0x0000000000C88000-memory.dmp

Filesize
32KB

Download
memory/3052-1-0x0000000000F30000-0x0000000001424000-memory.dmp

Filesize
5.0MB

Download