dcrat | 7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Size

1.5MB
MD5

9999309dcb3eb9d4b42ad1515c3f5cd0
SHA1

f43f97d19fd1b686592e78619ba7a3152e480cef
SHA256

7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36
SHA512

0a36a29be1aef8482bd59ed339edfeda3b1ea7addefb06c48aa68dbd15094dfb12a08e64937527a76eeb38f2576fe9d0cb6209a56dc89be806aa9503824b8dc2
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsUpdate\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\taskhost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsUpdate\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\taskhost.exe\", \"C:\\Windows\\System32\\eqossnap\\services.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsUpdate\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\taskhost.exe\", \"C:\\Windows\\System32\\eqossnap\\services.exe\", \"C:\\Windows\\addins\\Idle.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsUpdate\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\taskhost.exe\", \"C:\\Windows\\System32\\eqossnap\\services.exe\", \"C:\\Windows\\addins\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsUpdate\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\taskhost.exe\", \"C:\\Windows\\System32\\eqossnap\\services.exe\", \"C:\\Windows\\addins\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sppsvc.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsUpdate\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\taskhost.exe\", \"C:\\Windows\\System32\\eqossnap\\services.exe\", \"C:\\Windows\\addins\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sppsvc.exe\", \"C:\\Windows\\TSSysprep\\explorer.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsUpdate\\explorer.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WindowsUpdate\\explorer.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Idle.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2716	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2716	schtasks.exe	30

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2712	powershell.exe
1700	powershell.exe
1920	powershell.exe
2964	powershell.exe
1592	powershell.exe
1604	powershell.exe
2076	powershell.exe
1908	powershell.exe
1420	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Executes dropped EXE 13 IoCs

pid	Process
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
316	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2680	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2068	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
1596	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
1968	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2908	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
1800	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2204	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
1928	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2416	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2100	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Idle.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Idle.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\taskhost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\eqossnap\\services.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\TSSysprep\\explorer.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\addins\\Idle.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\WindowsUpdate\\explorer.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.es\\taskhost.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\eqossnap\\services.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\addins\\Idle.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sppsvc.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\TSSysprep\\explorer.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\WindowsUpdate\\explorer.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Windows Sidebar\\en-US\\sppsvc.exe\""	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\eqossnap\services.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\System32\eqossnap\services.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\System32\eqossnap\c5b4cb5e9653cc	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\System32\eqossnap\RCXB7AF.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\6ccacd8608530f	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\0a1fd5f707cd16	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXB33B.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXBDBB.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\addins\6ccacd8608530f	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\TSSysprep\explorer.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\TSSysprep\7a0fd90576e088	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\WindowsUpdate\RCXB137.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\TSSysprep\RCXBFBF.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\TSSysprep\explorer.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\WindowsUpdate\explorer.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\WindowsUpdate\explorer.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\WindowsUpdate\7a0fd90576e088	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File created	C:\Windows\addins\Idle.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\addins\RCXB9B3.tmp	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
File opened for modification	C:\Windows\addins\Idle.exe	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
2732	schtasks.exe
2628	schtasks.exe
2860	schtasks.exe
2736	schtasks.exe
2748	schtasks.exe
2636	schtasks.exe
2872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2712	powershell.exe
1700	powershell.exe
1908	powershell.exe
1604	powershell.exe
2076	powershell.exe
2964	powershell.exe
1420	powershell.exe
1592	powershell.exe
1920	powershell.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	316	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	2680	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	2068	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	1596	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	1968	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	2908	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	1800	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	2204	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	1928	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	3028	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	2416	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Token: SeDebugPrivilege	2100	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2712	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	39
PID 2548 wrote to memory of 2712	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	39
PID 2548 wrote to memory of 2712	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	39
PID 2548 wrote to memory of 1700	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	40
PID 2548 wrote to memory of 1700	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	40
PID 2548 wrote to memory of 1700	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	40
PID 2548 wrote to memory of 1604	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	41
PID 2548 wrote to memory of 1604	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	41
PID 2548 wrote to memory of 1604	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	41
PID 2548 wrote to memory of 1592	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	43
PID 2548 wrote to memory of 1592	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	43
PID 2548 wrote to memory of 1592	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	43
PID 2548 wrote to memory of 2076	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	45
PID 2548 wrote to memory of 2076	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	45
PID 2548 wrote to memory of 2076	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	45
PID 2548 wrote to memory of 1420	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	46
PID 2548 wrote to memory of 1420	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	46
PID 2548 wrote to memory of 1420	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	46
PID 2548 wrote to memory of 1920	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	47
PID 2548 wrote to memory of 1920	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	47
PID 2548 wrote to memory of 1920	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	47
PID 2548 wrote to memory of 1908	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	48
PID 2548 wrote to memory of 1908	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	48
PID 2548 wrote to memory of 1908	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	48
PID 2548 wrote to memory of 2964	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	49
PID 2548 wrote to memory of 2964	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	49
PID 2548 wrote to memory of 2964	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	49
PID 2548 wrote to memory of 2164	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	57
PID 2548 wrote to memory of 2164	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	57
PID 2548 wrote to memory of 2164	2548	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	57
PID 2164 wrote to memory of 2848	2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	59
PID 2164 wrote to memory of 2848	2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	59
PID 2164 wrote to memory of 2848	2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	59
PID 2164 wrote to memory of 2840	2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	60
PID 2164 wrote to memory of 2840	2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	60
PID 2164 wrote to memory of 2840	2164	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	60
PID 2848 wrote to memory of 316	2848	WScript.exe	61
PID 2848 wrote to memory of 316	2848	WScript.exe	61
PID 2848 wrote to memory of 316	2848	WScript.exe	61
PID 316 wrote to memory of 2916	316	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	62
PID 316 wrote to memory of 2916	316	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	62
PID 316 wrote to memory of 2916	316	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	62
PID 316 wrote to memory of 1180	316	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	63
PID 316 wrote to memory of 1180	316	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	63
PID 316 wrote to memory of 1180	316	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	63
PID 2916 wrote to memory of 2680	2916	WScript.exe	64
PID 2916 wrote to memory of 2680	2916	WScript.exe	64
PID 2916 wrote to memory of 2680	2916	WScript.exe	64
PID 2680 wrote to memory of 664	2680	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	65
PID 2680 wrote to memory of 664	2680	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	65
PID 2680 wrote to memory of 664	2680	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	65
PID 2680 wrote to memory of 2392	2680	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	66
PID 2680 wrote to memory of 2392	2680	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	66
PID 2680 wrote to memory of 2392	2680	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	66
PID 664 wrote to memory of 2068	664	WScript.exe	67
PID 664 wrote to memory of 2068	664	WScript.exe	67
PID 664 wrote to memory of 2068	664	WScript.exe	67
PID 2068 wrote to memory of 2336	2068	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	68
PID 2068 wrote to memory of 2336	2068	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	68
PID 2068 wrote to memory of 2336	2068	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	68
PID 2068 wrote to memory of 2244	2068	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	69
PID 2068 wrote to memory of 2244	2068	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	69
PID 2068 wrote to memory of 2244	2068	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe	69
PID 2336 wrote to memory of 1596	2336	WScript.exe	70

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
"C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\WindowsUpdate\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\eqossnap\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TSSysprep\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
  "C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2164
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8be47058-bedd-4a1c-8561-3b8b3bdb32b9.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
      C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:316
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddd1a776-c6b8-4016-bc51-f46899b280ba.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76495905-c2b3-4ea1-9397-b8990154a90e.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a48a04a6-1c53-46a9-82b1-26c5b4de06ca.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a7219f3-13c3-4ae5-bd29-0f0b5f75e53f.vbs"
        11⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3f49491-d0e6-4180-80c8-0cd2fcdf4fa1.vbs"
        13⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ac459c1-5765-49bb-99ae-aebcd6cf9963.vbs"
        15⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\433eeabd-4044-416d-9778-4a74d5947b9a.vbs"
        17⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f58d2daf-e460-41e1-ba34-d80f1c0c5215.vbs"
        19⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\390755e8-2f2e-42fa-bec7-ae11f41a051c.vbs"
        21⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b0b06df-37de-4c39-bfda-24d9f91115c3.vbs"
        23⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81d87d01-1ecf-4873-80d4-8e9addee989b.vbs"
        25⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        
        C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69b46deb-6463-4c17-880f-29cd366c3f11.vbs"
        27⤵
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea221602-833a-4e7f-8c9c-d3f4040681bf.vbs"
        27⤵
        
        PID:1304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\413fd1e7-48a9-40f7-8479-a2d93a086638.vbs"
        25⤵
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38bb3b1c-2253-4301-a97f-1862512139c2.vbs"
        23⤵
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9eac49b6-3e3e-485c-b1ce-cb44a9a32a8b.vbs"
        21⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\745f9b48-9cba-4b0a-bc2f-2a1df305a893.vbs"
        19⤵
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1033c03a-c30d-4d6c-b1b6-abc12fa19015.vbs"
        17⤵
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d764dbe-7fe5-4aa6-92a3-c6e71730c5f3.vbs"
        15⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e2baed3-d430-4eff-9260-ec7a5369eb7d.vbs"
        13⤵
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf7aa251-4020-4794-a622-7574939fbfad.vbs"
        11⤵
        
        PID:564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95ff2a1c-cb2d-4fd7-8e5c-622633851d7e.vbs"
        9⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86f99f9-52f7-4c7a-9559-f9602d64578a.vbs"
        7⤵
        
        PID:2392
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f668c8e8-a05c-4c03-996d-f716b41a96ad.vbs"
        5⤵
        
        PID:1180
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed743472-a830-43ac-bc2b-9b751bafcbe7.vbs"
    3⤵
    PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\WindowsUpdate\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\eqossnap\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\addins\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N\7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\TSSysprep\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b0b06df-37de-4c39-bfda-24d9f91115c3.vbs

Filesize
845B

MD5
36826c08a9320048d6308d1720d4cfdc

SHA1
241222cda9d880fd510c91efce4bf42ef3fd36f4

SHA256
3280fd26393c7f539c8f5eae8062513516b16714c7a7c533ceeff0d3b87eeadf

SHA512
0a6b4eeb49f1b2c2c54e7352c03f3b7cbce9fc8a655dbf887e3531bc4f9c37f3cbf4997bb3a74049b22b4f2ea1306ca4600b03c7fd9ea746c8caa591710c834f

Download Submit
C:\Users\Admin\AppData\Local\Temp\390755e8-2f2e-42fa-bec7-ae11f41a051c.vbs

Filesize
845B

MD5
86241f847ffdfcdcb2529c13e4201554

SHA1
3958f75da9b845d4125f90e43e4580d028a37a12

SHA256
0d1c590ffbcfccf96a6131fe5856abfc5f828cdc22ec76d8e0061af3d2d72119

SHA512
9a5365eaac56c1a5fd618b8272a7cc20f0b9f8192f1a68aaf0ab790515c3056a7ecaf17d49643789f0c63df1e2db6f5ca3c2572e7362a2dec3a931c6d7e74520

Download Submit
C:\Users\Admin\AppData\Local\Temp\433eeabd-4044-416d-9778-4a74d5947b9a.vbs

Filesize
845B

MD5
e9a3d0b3296551a6f6e03564e7667c9c

SHA1
5bba85021c9d97c0689413332afa15f34a84169a

SHA256
6b36c0a86318b83d7b7180e1bfe992a672e85c9030713b022493debe7133eed1

SHA512
18ca8d4c7c8a43ed9ad852be27ac44f39ac0b0bf11abd221a333a86e106025701bee31a20ef97381ea3fafbdd850b8ba8da69833b185b5937d4a4408cdff6a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a7219f3-13c3-4ae5-bd29-0f0b5f75e53f.vbs

Filesize
845B

MD5
43fd0cc4bec3c4b237cd97ae2e6dba3f

SHA1
7e659f81d0d15cdb80db005968474d3ea7fe1dd3

SHA256
9bef8abcb904df1c12bcb0a3962c1d961614bdaf5960fecb5b665bd60516c50b

SHA512
9c9bb74a04ee7c970a2ad9fc18baacb345be8d6a17adcc7bbf878c9e8fc731a595fcadd0bb1818fbb7498e0a2e44ed07d960b2583d893ea6585a8b6b377fe0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ac459c1-5765-49bb-99ae-aebcd6cf9963.vbs

Filesize
845B

MD5
ff1680f7c37d070cc3bf219209c7fa2c

SHA1
25af9e6d492bbc9879b9dfdc820a979255418bac

SHA256
bee71b4b04ef971f1f154c40e937ccee528ca46e8472c5fb9428cf4fecbe4c5d

SHA512
af729b0d5bea98fabf83fac935eb7660c4cda15f517dea85ef8d7ffab5e793fdb0cb2efb3f8d1de07331f59717fff5a6d10e5c06718a157b8a59a4076504273b

Download Submit
C:\Users\Admin\AppData\Local\Temp\69b46deb-6463-4c17-880f-29cd366c3f11.vbs

Filesize
845B

MD5
9193a47ae6f19ffc91ff558bcfcdcc27

SHA1
64b6c168571502a2ad4c1be249bfdea1eeffbc7c

SHA256
54d410f07fddcdf6ebe6f0a84c1e66224611ae74a5deab1724d0d45eca5d39c8

SHA512
6a15f1d7b6c2dd9cf4e93458108390f99d3b251d8f4cdeb8dbc7763a624c31ca7844f8dc0bbcbb75b1c339874e6729f6986b01da0749bba464d12314063f26f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\76495905-c2b3-4ea1-9397-b8990154a90e.vbs

Filesize
845B

MD5
a0b7997d4b1b0b82519a5efe4b93c86a

SHA1
4ba7da33080b00e483e7b89f17c77f411d06d983

SHA256
5de9dc1b226f127204b65426a89b5251944e5ccfca2ee5d1287ad15d769db020

SHA512
ee9b9f672ec1695f21f9267e757848100d182b049baae3f3728d2733dffa2c0b8dcfd3fbd5b93b948e4b576c7fe1efcb8dfbaffe285fbd1bb26da7fc1972b6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\81d87d01-1ecf-4873-80d4-8e9addee989b.vbs

Filesize
845B

MD5
588eea5b03bb3e1c716b25ae23fdc867

SHA1
92febc1b68a411f37682f74873aa81d95e960672

SHA256
520f1580e54ffb17cae4ff1202fa7457c0a64f539e9f27237c308590efce472f

SHA512
83de484af5756c13922a242ffdd937856076c8bcc36bee6e788a57970fd5318c48e4b93fb66ac4f99b5ef04b83eda91b016396cd569bd1020bcdbf30589e9bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8be47058-bedd-4a1c-8561-3b8b3bdb32b9.vbs

Filesize
845B

MD5
9edec57c10d5f4d32e2f1e60d4630a35

SHA1
03257d245a22e95c47138b72f8fd5e11de52856b

SHA256
ff6d3a24dad261264a8480c6b884551b89e16d8cd6c406b27989d870dbf338e9

SHA512
48af38d067d458bdc5dd51dd9c7e371b9f00388ecb41f39555e906260cc4320f619b52af311086555e62fed20a67411c698ad2923504cb6afaad9866755d674a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a48a04a6-1c53-46a9-82b1-26c5b4de06ca.vbs

Filesize
845B

MD5
23b6df8f5c69314ca01f615b72008f2d

SHA1
d9724700e8bafac46593556d3d8bd5fe121e5f56

SHA256
cb2ea1aa5b688bb1cae79a577cc6983d094032c6c656101d7eae9276c9bd13e6

SHA512
46495380bd2d39a2bb6e5396fef6d8535c37597334892c4b13c262d5a3c4aeea09c577f9b535a74843c42650dd42571d723c7ebd95fdf2d28b1990f3fb372feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddd1a776-c6b8-4016-bc51-f46899b280ba.vbs

Filesize
844B

MD5
f07fc8d4909c5c81adca267948ff1651

SHA1
c9a9aa7d366cd564104635b6dbe27a6700d845e8

SHA256
478a1d7c651003105679965962b85147e9b73285914484bf710b6cb7b449ffaf

SHA512
8d326a63de1dec96b5166b832626a76c64e3901bd78497b4bd210cb789ca47a3d5fe66b60b7193f84d1d2d78492527bbdd490d55dc87448d2bfcccd84d7fc16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed743472-a830-43ac-bc2b-9b751bafcbe7.vbs

Filesize
621B

MD5
e392ffb1f89347350d405be714c05140

SHA1
288b1b2bbbea04d83d9e06b277f1b6cba3c82c6f

SHA256
76bdfc2b404463e3731765ec15d3aca3dd2cec12f6079c5a37d1b5a1deeb34d5

SHA512
9d8191ab8e4281c7f2348d14f30e7e6c21aa2e8123d2093f8cc335fbed52749adec48e0269abe4dc6f8e2e865f652cda39034ac710a11c8911d0f27eb7ef82d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3f49491-d0e6-4180-80c8-0cd2fcdf4fa1.vbs

Filesize
845B

MD5
04c67e7075423a97f129705013b138a1

SHA1
9f37192c890bf70b5aa61cc57a9351e24d713f64

SHA256
cb45719597f8df2c40284efb8a85586deb87e407a2b3e3473053be9690e64daf

SHA512
984b4666d7f60a8fd9c70037a3e991b23b0533473f8b1a63189f68ed91a3d20e601c6d50fa3d65df513e89866a46be60739310f49accece9436e07c2bd57471c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f58d2daf-e460-41e1-ba34-d80f1c0c5215.vbs

Filesize
845B

MD5
4b51222a3550613937c0e770e53b27a1

SHA1
146043e6a03bf9972ec047873e4cd3130fc20e53

SHA256
54732edf1d1626d3b76e1eca35db00d5bf5bef17f042196ca0a68d5a8e91da90

SHA512
2e23f1a639a7e8086363e0f8c8555948b5bda8240273411149e18bcdaa7fd9ff200018e90dbfc910bfe59110eb058622f35623a4f416b1b69de67614afd86a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
76b6bca782bf73b0671ccd66f01a8d97

SHA1
ac49c19dca3cbf2b5595e72d0dce3e19c6bca315

SHA256
7505f3cb8eba52af1b0e480063321a32d1b2107b2c34e1bb5cdd50097d9db95e

SHA512
958433f726bbc4686c784b2368b7461713d5eec1d064ce43ac346415e3831a685ed96d5872d0154bf3481ac849a3a5efd62e62992d84d17e4ea3f2370f221fdf

Download Submit
C:\Windows\addins\Idle.exe

Filesize
1.5MB

MD5
9999309dcb3eb9d4b42ad1515c3f5cd0

SHA1
f43f97d19fd1b686592e78619ba7a3152e480cef

SHA256
7e7ea0ffa0ce17e47c7b47f7784ff1474316887af1ccf2e96e1d2d39ac636a36

SHA512
0a36a29be1aef8482bd59ed339edfeda3b1ea7addefb06c48aa68dbd15094dfb12a08e64937527a76eeb38f2576fe9d0cb6209a56dc89be806aa9503824b8dc2

Download Submit
memory/1596-198-0x0000000000390000-0x000000000050E000-memory.dmp

Filesize
1.5MB

Download
memory/1800-233-0x00000000000F0000-0x000000000026E000-memory.dmp

Filesize
1.5MB

Download
memory/1928-258-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1968-210-0x0000000000DC0000-0x0000000000F3E000-memory.dmp

Filesize
1.5MB

Download
memory/2068-186-0x00000000002D0000-0x000000000044E000-memory.dmp

Filesize
1.5MB

Download
memory/2100-294-0x00000000011C0000-0x000000000133E000-memory.dmp

Filesize
1.5MB

Download
memory/2164-152-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2164-113-0x0000000000C20000-0x0000000000D9E000-memory.dmp

Filesize
1.5MB

Download
memory/2204-245-0x0000000001010000-0x000000000118E000-memory.dmp

Filesize
1.5MB

Download
memory/2204-246-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2416-282-0x0000000000110000-0x000000000028E000-memory.dmp

Filesize
1.5MB

Download
memory/2548-13-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/2548-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/2548-1-0x0000000000980000-0x0000000000AFE000-memory.dmp

Filesize
1.5MB

Download
memory/2548-2-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-24-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-3-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/2548-21-0x00000000020A0000-0x00000000020A8000-memory.dmp

Filesize
32KB

Download
memory/2548-20-0x0000000000960000-0x000000000096C000-memory.dmp

Filesize
48KB

Download
memory/2548-18-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/2548-17-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/2548-16-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2548-15-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/2548-14-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2548-151-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-12-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2548-11-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2548-10-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2548-9-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2548-8-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2548-7-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2548-6-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/2548-4-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2548-5-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2680-174-0x0000000000300000-0x000000000047E000-memory.dmp

Filesize
1.5MB

Download
memory/2712-115-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2712-116-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/3028-270-0x0000000000070000-0x00000000001EE000-memory.dmp

Filesize
1.5MB

Download