dcrat | 0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656

Analysis

max time kernel
116s
max time network
117s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Size

4.9MB
MD5

094c63e5d39cc0d204e4cc47398dffb0
SHA1

a33098a3e39361f7f2a405a45c29234b1b17d55a
SHA256

0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656
SHA512

7541e961fbd5b28b72519484c177181ff3c6f37d01b1664bc547d1f956f2808bfb09e9d288d0f9fe354eb91ac17b64fcf414f73fe98897e2323f8dbf0453a0e2
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2772	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2772	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2496-3-0x000000001AB80000-0x000000001ACAE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2300	powershell.exe
2536	powershell.exe
1576	powershell.exe
2528	powershell.exe
288	powershell.exe
2372	powershell.exe
1380	powershell.exe
1356	powershell.exe
1248	powershell.exe
2312	powershell.exe
2552	powershell.exe
1560	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2068	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1528	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
2484	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
2100	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1680	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
2728	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1588	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1592	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1428	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\886983d96e3d3e	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Program Files\Google\Chrome\RCXEF18.tmp	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\RCXF11C.tmp	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\RCXF794.tmp	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Program Files\DVD Maker\WMIADAP.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Program Files\DVD Maker\75a57c1bdf437c	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Program Files\Google\Chrome\csrss.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Program Files\DVD Maker\RCXE69D.tmp	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\7a0fd90576e088	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\c8bf860aabb606	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\explorer.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\explorer.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Program Files\DVD Maker\WMIADAP.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Program Files\Google\Chrome\csrss.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Architecture\6203df4a6bafc7	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Windows\servicing\it-IT\Idle.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Windows\es-ES\cc11b995f2a76d	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\lsass.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Windows\PLA\Reports\fr-FR\taskhost.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\RCXF320.tmp	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Windows\es-ES\RCXF591.tmp	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Windows\Media\Cityscape\winlogon.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Windows\Media\Cityscape\cc11b995f2a76d	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\RCXE081.tmp	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Windows\PLA\Reports\fr-FR\taskhost.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Windows\Web\Wallpaper\Architecture\lsass.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Windows\PLA\Reports\fr-FR\b75386f1303e64	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File created	C:\Windows\es-ES\winlogon.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Windows\Media\Cityscape\RCXED14.tmp	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Windows\Media\Cityscape\winlogon.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
File opened for modification	C:\Windows\es-ES\winlogon.exe	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1080	schtasks.exe
2880	schtasks.exe
2944	schtasks.exe
1784	schtasks.exe
2476	schtasks.exe
1344	schtasks.exe
1880	schtasks.exe
1296	schtasks.exe
2968	schtasks.exe
3060	schtasks.exe
2740	schtasks.exe
380	schtasks.exe
2484	schtasks.exe
528	schtasks.exe
2868	schtasks.exe
2644	schtasks.exe
2472	schtasks.exe
3032	schtasks.exe
2796	schtasks.exe
2060	schtasks.exe
1932	schtasks.exe
2136	schtasks.exe
2660	schtasks.exe
2640	schtasks.exe
324	schtasks.exe
2988	schtasks.exe
2036	schtasks.exe
2524	schtasks.exe
1712	schtasks.exe
2112	schtasks.exe
1760	schtasks.exe
2876	schtasks.exe
2668	schtasks.exe
2532	schtasks.exe
2820	schtasks.exe
760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1248	powershell.exe
288	powershell.exe
2536	powershell.exe
1576	powershell.exe
2528	powershell.exe
2312	powershell.exe
2372	powershell.exe
1380	powershell.exe
1560	powershell.exe
1356	powershell.exe
2552	powershell.exe
2300	powershell.exe
2068	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1528	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
2484	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
2100	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1680	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
2728	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1588	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1592	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
1428	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2068	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Token: SeDebugPrivilege	1528	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Token: SeDebugPrivilege	2484	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Token: SeDebugPrivilege	2100	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Token: SeDebugPrivilege	1680	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Token: SeDebugPrivilege	2728	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Token: SeDebugPrivilege	1588	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Token: SeDebugPrivilege	1592	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Token: SeDebugPrivilege	1428	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2536	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	68
PID 2496 wrote to memory of 2536	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	68
PID 2496 wrote to memory of 2536	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	68
PID 2496 wrote to memory of 1248	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	69
PID 2496 wrote to memory of 1248	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	69
PID 2496 wrote to memory of 1248	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	69
PID 2496 wrote to memory of 2312	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	70
PID 2496 wrote to memory of 2312	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	70
PID 2496 wrote to memory of 2312	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	70
PID 2496 wrote to memory of 2552	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	71
PID 2496 wrote to memory of 2552	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	71
PID 2496 wrote to memory of 2552	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	71
PID 2496 wrote to memory of 1576	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	72
PID 2496 wrote to memory of 1576	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	72
PID 2496 wrote to memory of 1576	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	72
PID 2496 wrote to memory of 1560	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	73
PID 2496 wrote to memory of 1560	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	73
PID 2496 wrote to memory of 1560	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	73
PID 2496 wrote to memory of 2528	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	74
PID 2496 wrote to memory of 2528	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	74
PID 2496 wrote to memory of 2528	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	74
PID 2496 wrote to memory of 2372	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	75
PID 2496 wrote to memory of 2372	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	75
PID 2496 wrote to memory of 2372	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	75
PID 2496 wrote to memory of 288	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	76
PID 2496 wrote to memory of 288	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	76
PID 2496 wrote to memory of 288	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	76
PID 2496 wrote to memory of 2300	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	77
PID 2496 wrote to memory of 2300	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	77
PID 2496 wrote to memory of 2300	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	77
PID 2496 wrote to memory of 1380	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	78
PID 2496 wrote to memory of 1380	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	78
PID 2496 wrote to memory of 1380	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	78
PID 2496 wrote to memory of 1356	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	79
PID 2496 wrote to memory of 1356	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	79
PID 2496 wrote to memory of 1356	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	79
PID 2496 wrote to memory of 2088	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	92
PID 2496 wrote to memory of 2088	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	92
PID 2496 wrote to memory of 2088	2496	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	92
PID 2088 wrote to memory of 1680	2088	cmd.exe	94
PID 2088 wrote to memory of 1680	2088	cmd.exe	94
PID 2088 wrote to memory of 1680	2088	cmd.exe	94
PID 2088 wrote to memory of 2068	2088	cmd.exe	95
PID 2088 wrote to memory of 2068	2088	cmd.exe	95
PID 2088 wrote to memory of 2068	2088	cmd.exe	95
PID 2068 wrote to memory of 700	2068	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	96
PID 2068 wrote to memory of 700	2068	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	96
PID 2068 wrote to memory of 700	2068	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	96
PID 2068 wrote to memory of 2568	2068	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	97
PID 2068 wrote to memory of 2568	2068	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	97
PID 2068 wrote to memory of 2568	2068	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	97
PID 700 wrote to memory of 1528	700	WScript.exe	98
PID 700 wrote to memory of 1528	700	WScript.exe	98
PID 700 wrote to memory of 1528	700	WScript.exe	98
PID 1528 wrote to memory of 1196	1528	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	99
PID 1528 wrote to memory of 1196	1528	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	99
PID 1528 wrote to memory of 1196	1528	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	99
PID 1528 wrote to memory of 1676	1528	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	100
PID 1528 wrote to memory of 1676	1528	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	100
PID 1528 wrote to memory of 1676	1528	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	100
PID 1196 wrote to memory of 2484	1196	WScript.exe	101
PID 1196 wrote to memory of 2484	1196	WScript.exe	101
PID 1196 wrote to memory of 2484	1196	WScript.exe	101
PID 2484 wrote to memory of 1828	2484	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe	102

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
"C:\Users\Admin\AppData\Local\Temp\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qUMg8BuEM.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1680
- - C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
    "C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2068
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2466f03-de47-4b21-981f-0fd2f085b184.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:700
    - - C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
        
        "C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1528
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94ab911c-a89d-4b28-be7d-1f291e7558b7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
        
        "C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ed9d8dd-5343-432e-be98-3d7ac8491045.vbs"
        8⤵
        
        PID:1828
        
        C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
        
        "C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dc4c94c-82dc-41af-b2c7-09e91fd482fc.vbs"
        10⤵
        
        PID:2952
        
        C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
        
        "C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d68c36-7cd1-43ac-b1c9-451f9e913e48.vbs"
        12⤵
        
        PID:2164
        
        C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
        
        "C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\709aab63-c330-4706-96ad-efbd41b8cb0d.vbs"
        14⤵
        
        PID:2996
        
        C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
        
        "C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2aa03b7-45a7-43ad-a6ad-a1466a820a28.vbs"
        16⤵
        
        PID:2624
        
        C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
        
        "C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf805f21-fdaf-4c08-bfb2-cd1c5f41967d.vbs"
        18⤵
        
        PID:2064
        
        C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe
        
        "C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\368a8e48-613b-46a2-bd47-f29764c54368.vbs"
        20⤵
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba6a54f3-f883-40f4-9cff-6837415dbc81.vbs"
        20⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9abb3542-9c28-4463-b543-fd507514c748.vbs"
        18⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02788ddb-b635-40a1-b2cc-4851e93462b5.vbs"
        16⤵
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e35e0a5-18f0-439b-92df-032b6874ec82.vbs"
        14⤵
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9404f471-1e70-4f97-9ac5-59b1844b9b2e.vbs"
        12⤵
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\679c5a2d-e8c5-4716-94e1-01f162959589.vbs"
        10⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ddad5ac-033f-40df-b8f8-6e2752929b85.vbs"
        8⤵
        
        PID:1820
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77751063-e436-42d4-8893-c2a359f3c3e6.vbs"
        6⤵
        
        PID:1676
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f33f78d-fa16-46f1-8040-e9242b7d7241.vbs"
      4⤵
      PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Architecture\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Architecture\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Architecture\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Cityscape\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Media\Cityscape\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Cityscape\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N0" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N0" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Reports\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe

Filesize
4.9MB

MD5
094c63e5d39cc0d204e4cc47398dffb0

SHA1
a33098a3e39361f7f2a405a45c29234b1b17d55a

SHA256
0401226a7fb3c2d913e0ecd8dcc8d19a04979ee1414c30042215f24c9fc43656

SHA512
7541e961fbd5b28b72519484c177181ff3c6f37d01b1664bc547d1f956f2808bfb09e9d288d0f9fe354eb91ac17b64fcf414f73fe98897e2323f8dbf0453a0e2

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\explorer.exe

Filesize
4.9MB

MD5
2c316fcdd28be6853ed3f7374a981710

SHA1
b646d31991a8cac3cb5abfd0e343bed47a9c4242

SHA256
6deb304da7714b1f9da6346cb876f89d5609372243b25b8660b3741c0c174097

SHA512
794f19dc870c2ff982d77cc1899a21e37f7a3d4953a89e0c35d42e12f7eaba26f6edd4c5d92e6a2e265c23bf8b77c1fb773a7baba73d3378da18370dfb400ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\368a8e48-613b-46a2-bd47-f29764c54368.vbs

Filesize
795B

MD5
481456fbbe9b2cf035b506ad9005f3a3

SHA1
196b858f79a6d7df3ddee8f1a5b5031b6ccfed74

SHA256
acf3cf286aa1bdeaeb95d56e5d3357e6a2a11c1bd053f50975df19ff34695e20

SHA512
f12419ffcbdaea920a157b0853f93b7773c17f4d7e9bce0b6aa15b12029dfe196828935b911089f369f37781e2e8c8e1b6929ce8ff6e4f4c2d672676b08d965e

Download Submit
C:\Users\Admin\AppData\Local\Temp\58d68c36-7cd1-43ac-b1c9-451f9e913e48.vbs

Filesize
795B

MD5
01f3741ac40dcdbf44ec63667985396e

SHA1
5346061e63002c955533ba1e0145a5a7580d115e

SHA256
69b26d2283b4ed683ef8aa4271c0379e42f0d2cbdc08852265a1aa4d10802e56

SHA512
a362c178268179afff6caa7649971c571bab2bca413964afaef575f5a6213bad11c73d2de63f8a386671117b399c2ef953d657ff9e88d56b3ded2eb01e46cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dc4c94c-82dc-41af-b2c7-09e91fd482fc.vbs

Filesize
795B

MD5
e08c101d652935195ef809f4510d678c

SHA1
e5d26b237bb397e47c41695460b7b69674e22218

SHA256
1b0f1183c22caac7d515538b84769937429c7642e0dd64c5caefce2c68440996

SHA512
f5848723843030d0a9e1dbd5e29c3dc660df843d25ed8f2b80c6a6fbad66f3d20dfcd0173a58e5a5d5e250948844f43f3215199fe4ec1ca70a79f75cc3feccfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f33f78d-fa16-46f1-8040-e9242b7d7241.vbs

Filesize
571B

MD5
84a5c202ae7e37999d5dd62fdd6acc1d

SHA1
2eec8353846928b161ee541084cb7bad35e4e5f8

SHA256
31ea51190fa9334da9d87877541efbbc10101858e48400979b509337a1dee0bc

SHA512
a37a7aa10ceb91f303b1455d0f04d379bbbe4997289cf80ac141fbcc5b4c6ff9940709b5968b0430d78caf774a57183621726d6ef685bf85c6f801bdb8d559ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ed9d8dd-5343-432e-be98-3d7ac8491045.vbs

Filesize
795B

MD5
859cd4ffe939fbe75bd06e4a5b23153d

SHA1
a4187538f88d195be4511b4a86e0169c159c8134

SHA256
f28df26cec09e3dfc6b2755e911cf8ed9a16d03de0ea97baf35599bbdca3100b

SHA512
40da2e2a709a6f76bbab31a8aaa02c82134cbecb883b4da064a85d1851324dfd9b6e51b9ba736c7f3045e270c42656b38f99f7d70ef70a1db418a526642f431f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qUMg8BuEM.bat

Filesize
284B

MD5
609603aef5f1f6504c928229b2b589d7

SHA1
fee41049690a6a6618b3e5618a0ba600db8bfa35

SHA256
a0e26fcf00edacc5485e9cb4b582a1e564e3791bb91ad6c7c5fcf442c10acbc4

SHA512
12a1c9116a4a14194ade8089d2b68338869a3be3f7d02fb3a9e1d7490e68cdc7f654cbb9df1ef5f69c63a37852f5a9a5ec12cede8ed6cf0be3fdc761a4d12e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\709aab63-c330-4706-96ad-efbd41b8cb0d.vbs

Filesize
795B

MD5
5f96dece4d73bf3fec4403640170f40b

SHA1
0b4f9ec53fef2cf02fcf18ace22ada2deb776b7a

SHA256
a4bc0a2e25dba535c2b92a7e7060240a20cb3886f26c940385e5a5ca6e6f23d4

SHA512
fb1b6ee9bfe3836b15af75f2f1a02d876229695fe4bf25a987fd5b98a289692160ae6349e9c07186efa41bb0991aa0bdca4e37ec64237ba9a04cbe4cd8a88f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\94ab911c-a89d-4b28-be7d-1f291e7558b7.vbs

Filesize
795B

MD5
cb49430ed186772e7f3b785eb00933d4

SHA1
a21be8e1dd29d6203836ddf4c7aecdb6a7b7b15e

SHA256
441ded69e38a1d6b43abd9e519109257a50211bbc542abd295524d661b30ddd2

SHA512
0b90db3cd9b774ea281183669da82fd69d2d43e5ec32084c627f34e12c75c5de1590fe36dc2e4e76ca4cef350643e7c0b87411a266b8a36873317c9d7ae68ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf805f21-fdaf-4c08-bfb2-cd1c5f41967d.vbs

Filesize
795B

MD5
56dc4c653afcdee997457e55966974b1

SHA1
6d0492b0120ec0a73cba60552e1146972780403c

SHA256
5ca60d942775291c2ca418b2b1ced3c5db529790b8e88f761882dcede9a3496c

SHA512
3991cdc73138d65177854823e1c8773edcb2c823f2aff228c92eaeeddcff241230f0014844079bf9b75e63e928078968140660e216d7ec645cfa8b32ba303fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2466f03-de47-4b21-981f-0fd2f085b184.vbs

Filesize
795B

MD5
aaae35ca333940bf5346ea34177ad61a

SHA1
5c52298f4898aaacb5dacbf6db574c430ee7b168

SHA256
6a861368de348cab62aa7a0eb51c33af227b681143d4b1a5e269c78f3c7178a0

SHA512
e1c44f67771f1845e23ac1957d339abfd0bea98a7ea1043b49fc7214c6e82aa17573454912d8c5c145afff34a8c741ffe97459a5e146c2eb2e8365d3e8038b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2aa03b7-45a7-43ad-a6ad-a1466a820a28.vbs

Filesize
795B

MD5
0d6344013b013c6670360aa5861670fb

SHA1
b78a8cbd68ac1b6e55480db033e957678eb60ae8

SHA256
60ff1443cd8054ae28b250926c34fb8429162d8b65011caecfbdbdcb80973092

SHA512
7c318094e46473755b32a675b595000d65b7c70a9e58fa5cc416404164898e9162f4ea54c5455023294651734874caa2869eceec05bc41d2d9d3dc4547f929bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp22CC.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e080f9e88a18bb5d3c4d5571a145fbd

SHA1
4f5f33d159663330e2ac326f0f71fc3e56824df0

SHA256
37b421ec2742ecae4392f659789b3edb9d297ba3353f6cb06cb0820b3d357949

SHA512
f48658b72ed52afbd7c0ae94b87841e90f100e41cb477794aee1fd66e6692cbec498c0d56dd5e23804d3ad5fa1e049ef5fb1cbb0eb1e9a7f9db2fe5eb3129cb7

Download Submit
memory/1248-137-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1248-139-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1528-209-0x0000000000FA0000-0x0000000001494000-memory.dmp

Filesize
5.0MB

Download
memory/1528-210-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1592-296-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2068-194-0x0000000000EF0000-0x00000000013E4000-memory.dmp

Filesize
5.0MB

Download
memory/2068-195-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/2484-225-0x0000000001340000-0x0000000001834000-memory.dmp

Filesize
5.0MB

Download
memory/2496-9-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/2496-15-0x000000001ACB0000-0x000000001ACB8000-memory.dmp

Filesize
32KB

Download
memory/2496-13-0x00000000026E0000-0x00000000026EE000-memory.dmp

Filesize
56KB

Download
memory/2496-11-0x00000000026C0000-0x00000000026CA000-memory.dmp

Filesize
40KB

Download
memory/2496-10-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/2496-14-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2496-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

Filesize
4KB

Download
memory/2496-131-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-8-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/2496-12-0x00000000026D0000-0x00000000026DE000-memory.dmp

Filesize
56KB

Download
memory/2496-7-0x0000000000D90000-0x0000000000DA6000-memory.dmp

Filesize
88KB

Download
memory/2496-6-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2496-5-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2496-4-0x0000000000390000-0x00000000003AC000-memory.dmp

Filesize
112KB

Download
memory/2496-3-0x000000001AB80000-0x000000001ACAE000-memory.dmp

Filesize
1.2MB

Download
memory/2496-16-0x000000001ACC0000-0x000000001ACCC000-memory.dmp

Filesize
48KB

Download
memory/2496-2-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-1-0x0000000000DC0000-0x00000000012B4000-memory.dmp

Filesize
5.0MB

Download