dcrat | 75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673e

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Size

4.9MB
MD5

0f5cabfbc1180b73d7fadd9de190d3d0
SHA1

5a617e52ac7842c5a32c4caae9c0c1f1ea725a9d
SHA256

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673e
SHA512

79bea9ea2a3659ab6a2d11c9aef9aaa235ee413de1f246b0c6cac6ca00c827a04c9309801dc2e1d9264bd932ccef458f136598173678d6409ee8cbbcecc8df9b
SSDEEP

49152:Ll5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2744	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2744	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

audiodg.exe75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2184-2-0x000000001B450000-0x000000001B57E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2640	powershell.exe
3016	powershell.exe
1484	powershell.exe
2220	powershell.exe
3036	powershell.exe
1340	powershell.exe
2504	powershell.exe
300	powershell.exe
1104	powershell.exe
2676	powershell.exe
560	powershell.exe
1772	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

pid	Process
2368	audiodg.exe
2056	audiodg.exe
2512	audiodg.exe
2248	audiodg.exe
2148	audiodg.exe
3048	audiodg.exe
1300	audiodg.exe
2756	audiodg.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	audiodg.exe

Drops file in System32 directory 4 IoCs

Processes:

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\slmgr\0a1fd5f707cd16	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\SysWOW64\slmgr\RCXB4BC.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\SysWOW64\slmgr\sppsvc.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\SysWOW64\slmgr\sppsvc.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe

Drops file in Program Files directory 33 IoCs

Processes:

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\dwm.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXA53B.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\dwm.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\b75386f1303e64	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\6cb0b6c459d5d3	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Windows Sidebar\es-ES\explorer.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXA2CA.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXB6C0.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\886983d96e3d3e	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\csrss.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Windows Sidebar\es-ES\7a0fd90576e088	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Windows Media Player\Icons\sppsvc.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA0C6.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Windows Portable Devices\dwm.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\services.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\c5b4cb5e9653cc	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RCXAA1D.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\services.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXB8C4.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\explorer.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\dwm.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX9EC2.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\csrss.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXB2B8.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe

Drops file in Windows directory 16 IoCs

Processes:

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe

description	ioc	Process
File created	C:\Windows\Vss\Writers\Application\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\tracing\audiodg.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\TAPI\RCXAC30.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\TAPI\audiodg.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCXAE43.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\PolicyDefinitions\lsass.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\tracing\audiodg.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\tracing\42af1c969fbb7b	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\Vss\Writers\Application\d8cd31df7dcff3	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\TAPI\audiodg.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\TAPI\42af1c969fbb7b	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\PolicyDefinitions\lsass.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\tracing\RCXA7AC.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\Vss\Writers\Application\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXB0B4.tmp	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
File created	C:\Windows\PolicyDefinitions\6203df4a6bafc7	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
848	schtasks.exe
868	schtasks.exe
1948	schtasks.exe
584	schtasks.exe
1548	schtasks.exe
2740	schtasks.exe
2616	schtasks.exe
2352	schtasks.exe
2316	schtasks.exe
1812	schtasks.exe
1804	schtasks.exe
2500	schtasks.exe
3040	schtasks.exe
3028	schtasks.exe
2260	schtasks.exe
1116	schtasks.exe
444	schtasks.exe
1828	schtasks.exe
3048	schtasks.exe
2584	schtasks.exe
3008	schtasks.exe
2784	schtasks.exe
2572	schtasks.exe
2052	schtasks.exe
2428	schtasks.exe
780	schtasks.exe
1432	schtasks.exe
2632	schtasks.exe
2832	schtasks.exe
2056	schtasks.exe
2956	schtasks.exe
1244	schtasks.exe
1576	schtasks.exe
2884	schtasks.exe
2276	schtasks.exe
2600	schtasks.exe
2640	schtasks.exe
2100	schtasks.exe
1864	schtasks.exe
2528	schtasks.exe
2776	schtasks.exe
2028	schtasks.exe
1088	schtasks.exe
1904	schtasks.exe
1048	schtasks.exe
1612	schtasks.exe
1300	schtasks.exe
2716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

pid	Process
2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
2676	powershell.exe
560	powershell.exe
1340	powershell.exe
1772	powershell.exe
3036	powershell.exe
3016	powershell.exe
1104	powershell.exe
2220	powershell.exe
2504	powershell.exe
1484	powershell.exe
2640	powershell.exe
300	powershell.exe
2368	audiodg.exe
2056	audiodg.exe
2512	audiodg.exe
2248	audiodg.exe
2148	audiodg.exe
3048	audiodg.exe
1300	audiodg.exe
2756	audiodg.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	2368	audiodg.exe
Token: SeDebugPrivilege	2056	audiodg.exe
Token: SeDebugPrivilege	2512	audiodg.exe
Token: SeDebugPrivilege	2248	audiodg.exe
Token: SeDebugPrivilege	2148	audiodg.exe
Token: SeDebugPrivilege	3048	audiodg.exe
Token: SeDebugPrivilege	1300	audiodg.exe
Token: SeDebugPrivilege	2756	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.execmd.exeaudiodg.exeWScript.exeaudiodg.exeWScript.exeaudiodg.exe

description	pid	Process	procid_target
PID 2184 wrote to memory of 300	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	80
PID 2184 wrote to memory of 300	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	80
PID 2184 wrote to memory of 300	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	80
PID 2184 wrote to memory of 3016	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	81
PID 2184 wrote to memory of 3016	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	81
PID 2184 wrote to memory of 3016	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	81
PID 2184 wrote to memory of 1484	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	82
PID 2184 wrote to memory of 1484	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	82
PID 2184 wrote to memory of 1484	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	82
PID 2184 wrote to memory of 2220	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	83
PID 2184 wrote to memory of 2220	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	83
PID 2184 wrote to memory of 2220	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	83
PID 2184 wrote to memory of 1104	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	84
PID 2184 wrote to memory of 1104	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	84
PID 2184 wrote to memory of 1104	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	84
PID 2184 wrote to memory of 2676	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	85
PID 2184 wrote to memory of 2676	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	85
PID 2184 wrote to memory of 2676	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	85
PID 2184 wrote to memory of 560	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	86
PID 2184 wrote to memory of 560	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	86
PID 2184 wrote to memory of 560	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	86
PID 2184 wrote to memory of 3036	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	87
PID 2184 wrote to memory of 3036	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	87
PID 2184 wrote to memory of 3036	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	87
PID 2184 wrote to memory of 1340	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	88
PID 2184 wrote to memory of 1340	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	88
PID 2184 wrote to memory of 1340	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	88
PID 2184 wrote to memory of 2504	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	89
PID 2184 wrote to memory of 2504	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	89
PID 2184 wrote to memory of 2504	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	89
PID 2184 wrote to memory of 1772	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	90
PID 2184 wrote to memory of 1772	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	90
PID 2184 wrote to memory of 1772	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	90
PID 2184 wrote to memory of 2640	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	92
PID 2184 wrote to memory of 2640	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	92
PID 2184 wrote to memory of 2640	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	92
PID 2184 wrote to memory of 928	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	104
PID 2184 wrote to memory of 928	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	104
PID 2184 wrote to memory of 928	2184	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe	104
PID 928 wrote to memory of 1720	928	cmd.exe	106
PID 928 wrote to memory of 1720	928	cmd.exe	106
PID 928 wrote to memory of 1720	928	cmd.exe	106
PID 928 wrote to memory of 2368	928	cmd.exe	108
PID 928 wrote to memory of 2368	928	cmd.exe	108
PID 928 wrote to memory of 2368	928	cmd.exe	108
PID 2368 wrote to memory of 1512	2368	audiodg.exe	109
PID 2368 wrote to memory of 1512	2368	audiodg.exe	109
PID 2368 wrote to memory of 1512	2368	audiodg.exe	109
PID 2368 wrote to memory of 2876	2368	audiodg.exe	110
PID 2368 wrote to memory of 2876	2368	audiodg.exe	110
PID 2368 wrote to memory of 2876	2368	audiodg.exe	110
PID 1512 wrote to memory of 2056	1512	WScript.exe	111
PID 1512 wrote to memory of 2056	1512	WScript.exe	111
PID 1512 wrote to memory of 2056	1512	WScript.exe	111
PID 2056 wrote to memory of 1596	2056	audiodg.exe	112
PID 2056 wrote to memory of 1596	2056	audiodg.exe	112
PID 2056 wrote to memory of 1596	2056	audiodg.exe	112
PID 2056 wrote to memory of 2772	2056	audiodg.exe	113
PID 2056 wrote to memory of 2772	2056	audiodg.exe	113
PID 2056 wrote to memory of 2772	2056	audiodg.exe	113
PID 1596 wrote to memory of 2512	1596	WScript.exe	114
PID 1596 wrote to memory of 2512	1596	WScript.exe	114
PID 1596 wrote to memory of 2512	1596	WScript.exe	114
PID 2512 wrote to memory of 2568	2512	audiodg.exe	115

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

audiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exeaudiodg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	audiodg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	audiodg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe
"C:\Users\Admin\AppData\Local\Temp\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2cfOw3EDP6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1720
- - C:\Windows\TAPI\audiodg.exe
    "C:\Windows\TAPI\audiodg.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2368
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97b0b892-363d-4edf-837e-0640cf40d7ec.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\TAPI\audiodg.exe
        
        C:\Windows\TAPI\audiodg.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2056
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d03be2fe-ea7f-4c12-ba08-d73761c99b0a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\TAPI\audiodg.exe
        
        C:\Windows\TAPI\audiodg.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe4eeafc-3f7d-4016-96e4-c105b72aec5a.vbs"
        8⤵
        
        PID:2568
        
        C:\Windows\TAPI\audiodg.exe
        
        C:\Windows\TAPI\audiodg.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6dced4b3-8901-4f2f-9fc4-05330bf4df9d.vbs"
        10⤵
        
        PID:2892
        
        C:\Windows\TAPI\audiodg.exe
        
        C:\Windows\TAPI\audiodg.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\199a50e8-cb06-4406-8b84-43d92f7c9dac.vbs"
        12⤵
        
        PID:2372
        
        C:\Windows\TAPI\audiodg.exe
        
        C:\Windows\TAPI\audiodg.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e1113cd-0a28-4a6c-961b-0154d2e34fb9.vbs"
        14⤵
        
        PID:1512
        
        C:\Windows\TAPI\audiodg.exe
        
        C:\Windows\TAPI\audiodg.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78792ccf-fc2e-45d3-ac1f-68fc9ddc0595.vbs"
        16⤵
        
        PID:2164
        
        C:\Windows\TAPI\audiodg.exe
        
        C:\Windows\TAPI\audiodg.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e457833-500f-4e49-adf3-67f0fd589b52.vbs"
        16⤵
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\412e3add-ffed-4982-bae5-1db485b602ca.vbs"
        14⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9184330c-f40a-40aa-9c83-12ba27d74e66.vbs"
        12⤵
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21275665-0417-4fc4-8bbb-480155ccf4e2.vbs"
        10⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\265fb39b-db20-4259-a731-37a79a1447ca.vbs"
        8⤵
        
        PID:1392
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d0fc04e-3e53-4c89-aac5-aa2a3cc6f3a5.vbs"
        6⤵
        
        PID:2772
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46e0907b-11ec-4964-a8eb-70ba4bf1fbaa.vbs"
      4⤵
      PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\tracing\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\TAPI\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN7" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN7" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\Application\75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673eN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\slmgr\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SysWOW64\slmgr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\slmgr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Reference Assemblies\Microsoft\csrss.exe

Filesize
4.9MB

MD5
0f5cabfbc1180b73d7fadd9de190d3d0

SHA1
5a617e52ac7842c5a32c4caae9c0c1f1ea725a9d

SHA256
75c3cf5d0a539d0dbf9dd039f3f0712b6a13c11827e9c123f569ca9b4af5673e

SHA512
79bea9ea2a3659ab6a2d11c9aef9aaa235ee413de1f246b0c6cac6ca00c827a04c9309801dc2e1d9264bd932ccef458f136598173678d6409ee8cbbcecc8df9b

Download Submit
C:\Program Files\Reference Assemblies\Microsoft\csrss.exe

Filesize
4.9MB

MD5
d0cb10207b3a25421fe6e2dbf151af63

SHA1
a866ee046c435f01820089627e37ef5ab161a8a8

SHA256
36ec6e4db480342f2388335ea4f78f78cb7f90819cf351547aa68b7957c1f03c

SHA512
7351841724c57d73884d178c3050465902f38ee8a295769e03118b5b60cb4d29e2e9f0d954927c2cc5a911cdfaf08bfc6dba115c95f384c3bea184cf8220898d

Download Submit
C:\Users\Admin\AppData\Local\Temp\199a50e8-cb06-4406-8b84-43d92f7c9dac.vbs

Filesize
703B

MD5
65e97d907567393af11e991e6a491bc5

SHA1
d9b4d560aa5a9d1af8b5dc78d04a123ea08ec51e

SHA256
2e7de4babaa82e7fd27ec702fbbe85bc09874f477c9a96236439dcf8371270f9

SHA512
80224bb3fad4af809e15d5ecf8e761bf534d7a6b80a5437fa35737f4b0291641c7d6918fcc2fa476e639b56403c8e85fc8e63edfbeac43b50d69ef5d046ff0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e1113cd-0a28-4a6c-961b-0154d2e34fb9.vbs

Filesize
703B

MD5
17ce0a9464c157dde9842dc74144a341

SHA1
4cd4489dad20c269611b45fd1160d74fb82e02eb

SHA256
7eab6246822f9ae0516af033e9d9dab960d5883ee1e2ed2592095cb3b5480d72

SHA512
cc1f1fc42e4263e6c83580a858f3243ca1711e536bd2a69565db5752ac467dd66850c521320b278d8d12694987005ff9a5515a6ca0c54492f2dff301c5234547

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cfOw3EDP6.bat

Filesize
192B

MD5
55a429d4a97d64245f0ac9e286378d0d

SHA1
acbed5b35106d3770aded456ad0b3320ed1078ff

SHA256
c97e677884c9764d07d23bf143830ec2cad68f2c5a34c360e40cb6f7811a84b7

SHA512
f231910b619d440bfb3473f29749b3bb0cd545825bec7b7fe6fc4b3eeeac31cf0405fa7847d7d73d50324b362dedf3b4e9f3eabe52440b5d604f47357cccde94

Download Submit
C:\Users\Admin\AppData\Local\Temp\46e0907b-11ec-4964-a8eb-70ba4bf1fbaa.vbs

Filesize
479B

MD5
66f4ce3d79bf2f6ce19da91f9bef6f87

SHA1
f17b8ac1a3d6e05466417eeb3533f9d41e3ae302

SHA256
74b609745fde2db60047aa7049d11ffce688d7aac7c53717270344658289fd33

SHA512
e93b45ae7d5b6e08765a83fbb4510b32dd7bbf1f307c34238fe9605f945644a79d717a8ac36afb9f112e0e0cf75d71d16e485ba61ca18f96b2a10de9a2b767a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\64d4e8ccf489ae3286332e24d7cacae58b7aad22.exe

Filesize
4.9MB

MD5
074461d8dd585910942d75773ed33d05

SHA1
bf38eab0aaa6c60b035ae57325b6f15c3e2c2639

SHA256
f74a808e9065676a79db27ee5fe8207da3b12edcc4d11404c1613ce1913aa425

SHA512
0ff002bf187e203e289efcf813eb307d7041b2d97c94222e23ce6cc82edea30896958c1143f40bb5a3ab23350ed792a95c2f97777d602d28e0c7411bb9b0e406

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dced4b3-8901-4f2f-9fc4-05330bf4df9d.vbs

Filesize
703B

MD5
951d10d299873486756075a22ac7a75b

SHA1
c538079c23602fecdafcfebd404386cfa2c9e874

SHA256
04ebfca77312cab90cf31bde4a3fff9a3bbccbdb4411bcb4ecc3ee6fe7a8eaa2

SHA512
ab73c284364f6f61a6acb7bac421a78ffea077cc01bffb73ab4bffd67ad547e2c121fb165966c10c81a8e300ac0db0518670d8182f18fda76ccae728e574d44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\78792ccf-fc2e-45d3-ac1f-68fc9ddc0595.vbs

Filesize
703B

MD5
ce02da55531bc41355fec7aee3e7e8ec

SHA1
15747fe51d9c28ba44348b5874c03b2d6fb4a3c9

SHA256
2145708320b873a8dc4c75a8afc1b4a64f85b51159a1493d9231662860186b29

SHA512
ed1bade5b52d328e063ebf26c0afeb940a20e40ca8106eb5f0669353bf4e71cf439f08fe20fb700ced5d009cf4b4829cc759f13da6235039e2bfdc6973965208

Download Submit
C:\Users\Admin\AppData\Local\Temp\97b0b892-363d-4edf-837e-0640cf40d7ec.vbs

Filesize
703B

MD5
d100fc225a9ab9d34e735bd532b47736

SHA1
0cd986e99c2216bf58bf7ed84452d7207d85bebe

SHA256
3607c5c02336a6dea195e5781c0649f7b376fa5a42976458be2cbe861afbea60

SHA512
b52492167282f226fe07a44f5090d2609dbb7cd951f1ec33036499908e804bdceb5530f80ed5df843945e870a8ac84cb6a98805a5c2d13b45ce9f7cd861086dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d03be2fe-ea7f-4c12-ba08-d73761c99b0a.vbs

Filesize
703B

MD5
eb6b91b3cf9251222dd86486ac1eaa2e

SHA1
5b7847f3261c233827ef77d72375af3d49c06520

SHA256
5ef894d9fa660c7765c3b95bd2c061e6f7b26ff2f75811fe34b3b34eed1ba9ca

SHA512
acbaa93fff9745cd9a3d20b85958738d82493ea6a178300b621d1814bc795edbc6ba7eedd4dc1f0a9519b97c578fdb7fb6093a7151815b7aaf37ede18c988cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe4eeafc-3f7d-4016-96e4-c105b72aec5a.vbs

Filesize
703B

MD5
8e807d02a7cfeac7041aaaeeee34f3c0

SHA1
93bbcd536c77d703abaef05f34eaa857a79976fe

SHA256
246a5fbdb23109c9fc9c02cb5c0e9da0250dd3e662e783c3f8f4408955b682aa

SHA512
a0e81ee43a655764883a1e1da73af7d2a37d57bcfd63b24d322583add87e22744d61baa867c1b6af13cfb4d4fc41b8d63895c349e4de599989818af3a0955e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE64A.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9a1f9c72fadab8c99df16424ea925325

SHA1
1c2e3e51892faafae1cb42dfaa62c2ee38d868df

SHA256
94bf86537c4f6deac5652180bab48225d2623fe744fbe1dd56611d285a4e93fb

SHA512
87041c696d6efb819d132055f235de6938a14b7f9f7a39c1ffa48c31e615bd32963f4d5fc64c6e7e65ad0ede2f06321a3dc7f72689c428e370e5bcb1491530d7

Download Submit
memory/2148-295-0x00000000011E0000-0x00000000016D4000-memory.dmp

Filesize
5.0MB

Download
memory/2184-10-0x00000000011D0000-0x00000000011E2000-memory.dmp

Filesize
72KB

Download
memory/2184-11-0x0000000001260000-0x000000000126A000-memory.dmp

Filesize
40KB

Download
memory/2184-16-0x00000000013B0000-0x00000000013BC000-memory.dmp

Filesize
48KB

Download
memory/2184-15-0x00000000013A0000-0x00000000013A8000-memory.dmp

Filesize
32KB

Download
memory/2184-134-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/2184-149-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-169-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-13-0x0000000001380000-0x000000000138E000-memory.dmp

Filesize
56KB

Download
memory/2184-1-0x00000000013D0000-0x00000000018C4000-memory.dmp

Filesize
5.0MB

Download
memory/2184-2-0x000000001B450000-0x000000001B57E000-memory.dmp

Filesize
1.2MB

Download
memory/2184-12-0x0000000001270000-0x000000000127E000-memory.dmp

Filesize
56KB

Download
memory/2184-3-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-4-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2184-14-0x0000000001390000-0x0000000001398000-memory.dmp

Filesize
32KB

Download
memory/2184-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/2184-9-0x00000000011C0000-0x00000000011CA000-memory.dmp

Filesize
40KB

Download
memory/2184-8-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/2184-5-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/2184-7-0x0000000000D10000-0x0000000000D26000-memory.dmp

Filesize
88KB

Download
memory/2184-6-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/2248-280-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/2248-279-0x0000000000040000-0x0000000000534000-memory.dmp

Filesize
5.0MB

Download
memory/2368-236-0x0000000001230000-0x0000000001242000-memory.dmp

Filesize
72KB

Download
memory/2368-235-0x0000000001270000-0x0000000001764000-memory.dmp

Filesize
5.0MB

Download
memory/2512-264-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/2676-184-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2676-195-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download