dcrat | dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Size

1.5MB
MD5

5aeeddc9c33fb19473c2d36a1bf77632
SHA1

78c1f862eb9ba6c6e106f7c289d01358f42f655e
SHA256

dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d
SHA512

3b56c817e7a004d2fdfcbdec57bb1dbbb003bc0ef4c767b26257e9547bcc8894a062351a083648483921216003426a629038008837112d1985e39ff1f8ee20d2
SSDEEP

24576:UNNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:kzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\51caddd3-4ec5-4031-8f9f-729567fd5919\\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\51caddd3-4ec5-4031-8f9f-729567fd5919\\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe\", \"C:\\Program Files\\Windows Media Player\\ja-JP\\dllhost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Temp\\51caddd3-4ec5-4031-8f9f-729567fd5919\\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe\", \"C:\\Program Files\\Windows Media Player\\ja-JP\\dllhost.exe\", \"C:\\Windows\\System32\\blbres\\services.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2780	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2780	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2780	schtasks.exe	28

UAC bypass 3 TTPs 42 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2612	powershell.exe
2660	powershell.exe
2544	powershell.exe
2948	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Executes dropped EXE 13 IoCs

pid	Process
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2592	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2384	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
600	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1576	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
816	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2600	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1716	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2844	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1400	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2488	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51caddd3-4ec5-4031-8f9f-729567fd5919\\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\51caddd3-4ec5-4031-8f9f-729567fd5919\\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\dllhost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\dllhost.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\blbres\\services.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\blbres\\services.exe\""	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\blbres\services.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Windows\System32\blbres\c5b4cb5e9653cc	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\System32\blbres\RCX602D.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Windows\System32\blbres\services.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\ja-JP\dllhost.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File created	C:\Program Files\Windows Media Player\ja-JP\5940a34987c991	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\RCX5DBC.tmp	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\dllhost.exe	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2352	schtasks.exe
2652	schtasks.exe
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2660	powershell.exe
2948	powershell.exe
2612	powershell.exe
2544	powershell.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	2592	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	2384	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	1432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	600	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	1576	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	816	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	2600	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	1716	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	2844	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	1400	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Token: SeDebugPrivilege	2488	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2612	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	32
PID 2416 wrote to memory of 2612	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	32
PID 2416 wrote to memory of 2612	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	32
PID 2416 wrote to memory of 2660	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	33
PID 2416 wrote to memory of 2660	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	33
PID 2416 wrote to memory of 2660	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	33
PID 2416 wrote to memory of 2948	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	34
PID 2416 wrote to memory of 2948	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	34
PID 2416 wrote to memory of 2948	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	34
PID 2416 wrote to memory of 2544	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	36
PID 2416 wrote to memory of 2544	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	36
PID 2416 wrote to memory of 2544	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	36
PID 2416 wrote to memory of 1144	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	40
PID 2416 wrote to memory of 1144	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	40
PID 2416 wrote to memory of 1144	2416	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	40
PID 1144 wrote to memory of 2720	1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	41
PID 1144 wrote to memory of 2720	1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	41
PID 1144 wrote to memory of 2720	1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	41
PID 1144 wrote to memory of 2692	1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	42
PID 1144 wrote to memory of 2692	1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	42
PID 1144 wrote to memory of 2692	1144	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	42
PID 2720 wrote to memory of 2128	2720	WScript.exe	43
PID 2720 wrote to memory of 2128	2720	WScript.exe	43
PID 2720 wrote to memory of 2128	2720	WScript.exe	43
PID 2128 wrote to memory of 3000	2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	44
PID 2128 wrote to memory of 3000	2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	44
PID 2128 wrote to memory of 3000	2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	44
PID 2128 wrote to memory of 1340	2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	45
PID 2128 wrote to memory of 1340	2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	45
PID 2128 wrote to memory of 1340	2128	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	45
PID 3000 wrote to memory of 2592	3000	WScript.exe	48
PID 3000 wrote to memory of 2592	3000	WScript.exe	48
PID 3000 wrote to memory of 2592	3000	WScript.exe	48
PID 2592 wrote to memory of 1644	2592	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	49
PID 2592 wrote to memory of 1644	2592	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	49
PID 2592 wrote to memory of 1644	2592	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	49
PID 2592 wrote to memory of 2984	2592	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	50
PID 2592 wrote to memory of 2984	2592	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	50
PID 2592 wrote to memory of 2984	2592	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	50
PID 1644 wrote to memory of 2384	1644	WScript.exe	51
PID 1644 wrote to memory of 2384	1644	WScript.exe	51
PID 1644 wrote to memory of 2384	1644	WScript.exe	51
PID 2384 wrote to memory of 2508	2384	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	52
PID 2384 wrote to memory of 2508	2384	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	52
PID 2384 wrote to memory of 2508	2384	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	52
PID 2384 wrote to memory of 332	2384	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	53
PID 2384 wrote to memory of 332	2384	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	53
PID 2384 wrote to memory of 332	2384	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	53
PID 2508 wrote to memory of 1432	2508	WScript.exe	54
PID 2508 wrote to memory of 1432	2508	WScript.exe	54
PID 2508 wrote to memory of 1432	2508	WScript.exe	54
PID 1432 wrote to memory of 484	1432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	55
PID 1432 wrote to memory of 484	1432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	55
PID 1432 wrote to memory of 484	1432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	55
PID 1432 wrote to memory of 2948	1432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	56
PID 1432 wrote to memory of 2948	1432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	56
PID 1432 wrote to memory of 2948	1432	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	56
PID 484 wrote to memory of 600	484	WScript.exe	57
PID 484 wrote to memory of 600	484	WScript.exe	57
PID 484 wrote to memory of 600	484	WScript.exe	57
PID 600 wrote to memory of 1944	600	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	58
PID 600 wrote to memory of 1944	600	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	58
PID 600 wrote to memory of 1944	600	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	58
PID 600 wrote to memory of 1956	600	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe	59

System policy modification 1 TTPs 42 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
"C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\blbres\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
  "C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1144
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ab9c6c4-2c6d-40b7-943e-cbcadfb8b180.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
      C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2128
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e5f50c7-a111-4875-93cc-33597c45f533.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bce2095-4185-4289-a1c3-6665027febbc.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43506253-3c54-4ba3-b98c-392c039a64e9.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0facddd7-63f8-4740-bebd-eff1f9bbb8f4.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b61da629-cc32-48da-8f2e-70d3e19f5cf0.vbs"
        13⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49baf57f-c5c7-47b4-8b13-dad9d460dd2c.vbs"
        15⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a81c8055-9c99-4b96-9bbf-3e6284de0211.vbs"
        17⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fb999ba-e082-427f-9450-ca605ad5ad16.vbs"
        19⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d1a1549-de0a-4520-b781-a3b4ef6c0070.vbs"
        21⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c539dd2d-f912-4611-b50f-19b4ab83969d.vbs"
        23⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        24⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f81c305-0c34-49e8-80d8-34feee6b2956.vbs"
        25⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        
        C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe
        26⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d34955ea-8163-433e-8754-bd876afbf136.vbs"
        27⤵
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05e85bef-0044-4dc0-9eb4-161d4f49292c.vbs"
        27⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bed215ae-4dd7-4e70-a54a-9321dc6e2aa4.vbs"
        25⤵
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cab0e50d-5e59-4e47-aa1d-152c1f745c9b.vbs"
        23⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4d02b35-22dd-40f7-895a-f5a28768a584.vbs"
        21⤵
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\258e3a5b-269d-490c-a06a-2f206f9adbc9.vbs"
        19⤵
        
        PID:572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eed7b5e-8a88-41d9-a9a1-20ec2416c03c.vbs"
        17⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\377959e6-8011-4ebb-9f64-1417eaed0f45.vbs"
        15⤵
        
        PID:1156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64faa408-7669-4b38-b654-2def856af5eb.vbs"
        13⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5652a712-4517-4cab-aecf-85fed20508f1.vbs"
        11⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4366fd-0fc7-4c0e-a059-f7e914e91070.vbs"
        9⤵
        
        PID:332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b728f988-456f-4974-8711-8b5ef03fc8af.vbs"
        7⤵
        
        PID:2984
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6baa2b8c-5e1c-4203-8af7-fcb8429384df.vbs"
        5⤵
        
        PID:1340
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4173fac-2ee2-452a-adcb-52efe7a817d8.vbs"
    3⤵
    PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\blbres\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0facddd7-63f8-4740-bebd-eff1f9bbb8f4.vbs

Filesize
815B

MD5
583ef287442bada7a017297f57c6b737

SHA1
3fcb97584092c6e88d3a24192e5db21739e1c61b

SHA256
1053225f40a55ee944c6cf48ca59376896c9d022cde6b5adc45771f7932096ae

SHA512
5b4041673601cf6465c43e767c8f9b6aca2877b7c0c1f7a50ed114bd32962a2398379dddac343bf972b4ede13e2d0d7c3db416c25f6f5d33e16fdde369c0bea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ab9c6c4-2c6d-40b7-943e-cbcadfb8b180.vbs

Filesize
815B

MD5
cd183e1e3a7c9aaa21e5495dbc77c7c7

SHA1
845a5ff71908ed74586280148ae3d710b997a646

SHA256
c34ab69e5090020234d1aa5171693bf7cf32eadad3465ed6f4bef8e067669b25

SHA512
16e4a982523339f084343ccb770cb625429fcf5dd2b4acf5838a54990b31bca8612e3fdfc908c784d486cc1bb778fc071d64e119632676407aa1cb19bfc82b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e5f50c7-a111-4875-93cc-33597c45f533.vbs

Filesize
815B

MD5
6d9c04b9d7e42f539bb8cac7e88f30e8

SHA1
f1404de0388346d814afb0960106d2c43793a6b4

SHA256
c23acf9aa3e063e3a2b81d7d16127175ef928bc7977f6c4a03c65c48103f134a

SHA512
729eba054746250b808a4abea9994510d0c58339d65afd18a8cf15fac84bf6753d275fefa108ff43fdd5ab0ce321db55a7d4ba94da879032d82c871c88d88d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bce2095-4185-4289-a1c3-6665027febbc.vbs

Filesize
815B

MD5
8965fa2314b3366b1ba8f826d6847960

SHA1
da6c4196d958102f96bbaee6c4d0a5a0ea8cd4ff

SHA256
7d2956f2306696a54de3d053ec0b2c3a5d318babf5369e736952d88d783a0c9a

SHA512
d30f70f73c56f1dbbe00301a9f52673f0e3dc023aee4a9b5fba0601ab44026e9e3718e2472c1417140c4dddc6f2b29da1cade7d18806b920d7e59f5af9a60e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f81c305-0c34-49e8-80d8-34feee6b2956.vbs

Filesize
815B

MD5
a9c12743a8addc31d887dcc3e044651d

SHA1
4d85917c19559f01145e8838b9dabb6b2e4ad1e5

SHA256
012966883edba340f3b4174d5701b24e0eec7d435f816d0695e427a1b0448d75

SHA512
34ae102bc9cf8981c904c2d52badbe1065cab5339d52adb4029c64df1be8ed1f86da2387fe9fe622df80d11319ae60235db892ac78350f47741e9710a89bf36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fb999ba-e082-427f-9450-ca605ad5ad16.vbs

Filesize
815B

MD5
f8f50d09fdabe33270e30bef0417ee9e

SHA1
4b97436c21bc0f380275dbf0ff5d3e0e9e763b08

SHA256
1c4e7ab3a6a8b70a94a80f8cea41e2cc1e582d5be4792fa31f00e28345a2306a

SHA512
7d5a3d4ea31c23f275ed0e1e09374a5c31498190d7303953d61927340bc8c664ea96ef01e39db85cb1bc094ef8387f3b2a21d4fc5029ea66df122fabba874c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\43506253-3c54-4ba3-b98c-392c039a64e9.vbs

Filesize
815B

MD5
7b2e737ac6a9da2d77210049637e93e3

SHA1
4977d6f67ed934284e5324a0a1a4c4c89e1f50ad

SHA256
f626374bb0f57e4ba244344da63b58fad02bf64d442f5d3efa160e19286f0c1c

SHA512
3baa998896cc0692c57c48d567fe8c5ba591e6e690eac12667880a4f536c6c982284ae2a3892d85b332fe18405cee629667dcaa5544ee6c5c0abe5f6dca26a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\49baf57f-c5c7-47b4-8b13-dad9d460dd2c.vbs

Filesize
815B

MD5
dbd523034f3459df673a69740145d2c2

SHA1
69105e85c1d6db005c4608a74f937e992f0c74ba

SHA256
e51fa05aef675b8b947f393c7b2a775377ba0b9df6d5b63295f95a35cc620640

SHA512
02988f640b62760aba37b394d3e6ddd8fe40421b572f08c7e0fdef872e1363aab6f991db6e8270aeff68305e29b3ef4006aabbc17445b67308b0847e43d764bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\51caddd3-4ec5-4031-8f9f-729567fd5919\dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d.exe

Filesize
1.5MB

MD5
5aeeddc9c33fb19473c2d36a1bf77632

SHA1
78c1f862eb9ba6c6e106f7c289d01358f42f655e

SHA256
dbcd799b4465a36fd77e4857a7d5608b13e851d506f770a261926d765547587d

SHA512
3b56c817e7a004d2fdfcbdec57bb1dbbb003bc0ef4c767b26257e9547bcc8894a062351a083648483921216003426a629038008837112d1985e39ff1f8ee20d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d1a1549-de0a-4520-b781-a3b4ef6c0070.vbs

Filesize
815B

MD5
716877ebc61c32bdabf738503ba4e2a9

SHA1
09c526559219980a39afcae0c34d0462949d8ae4

SHA256
7a985d7870acb77c5d1b8bea148769dd10fc315949dd4286a273edd72943ccc3

SHA512
98df769e6758a008c2690cad24ad2bc734b1537975e0a9bcbb942232af0cf8f783b5e88d98dd1e85f390fb75d7a923a8a2538375c442fd501ab0aa47ab1e9820

Download Submit
C:\Users\Admin\AppData\Local\Temp\a81c8055-9c99-4b96-9bbf-3e6284de0211.vbs

Filesize
814B

MD5
c0d87dc23c74e727bab685bd8bb1e26d

SHA1
71d3f32b0216fe4111184e90f8e6c0e9ee4b36f9

SHA256
db0f0289d9f358c47ab3df0926cdfda8cf92ded000d9256d89c38bdf87d6bdf8

SHA512
14bbabb848d65fc1fe0ee88a8e848093eb5624dba29723fd30e8b0b49d652c88f31aadbdfa28784f17f3d77dd1c69b46fbb4e5431236600775c2e871c2f8a85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4173fac-2ee2-452a-adcb-52efe7a817d8.vbs

Filesize
591B

MD5
ecfa46783b45832a2558998c60397d24

SHA1
387c981d4030781d2d216c67a70a016cb2112496

SHA256
ea8e664342ce6e3a09b2392c50cdb519d562f94fdf9c3807b92f7284557524e5

SHA512
5bb10206e9dd908b069d399cc5e350b439f106d091637f3dd2bd49929053c1ad2f298d1a43b5d974001651178d9394eddee2e0dd7ed600aa332a48d473ebbf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\b61da629-cc32-48da-8f2e-70d3e19f5cf0.vbs

Filesize
814B

MD5
3d04813c2b8af5d60db4eed0b22b080e

SHA1
1c355e935a2db42cb50eb3942cbc41aa5983e66b

SHA256
034b1b3408517f9a902850c0fc907edf8f9f9eb9f913cf89b55c68b7448ed120

SHA512
7dfd5d977878dc2364f5b5ba581bf0da1efd7dcdff48d68bd26b1763ee4ef4f43d3b9b066be8d5611e15fa3e18a03af66055c17285e40444ca55c2c162aabe0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c539dd2d-f912-4611-b50f-19b4ab83969d.vbs

Filesize
815B

MD5
9bd5da41bcc621abed7e7fa84c807558

SHA1
23c76b48c0efd73fe446bd18811372f1c1e57e4e

SHA256
b8db149a63c6b78b896d77cdda1c8ef67285eaf24564c4954c0ef3fe53228433

SHA512
5ecfbf5e1fdebb0bafc4e608127f6006f3f18a8f7f210f311a188c3b5fa1f6158a2d1c8cbf2fa0d52b3d0666d42bb07b64221ef9a1145c900eac1c71fdda0ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d34955ea-8163-433e-8754-bd876afbf136.vbs

Filesize
815B

MD5
8999866fc02697248200692e064c002e

SHA1
0228a2d1d6fa3f4d92af72d11117b22141bf007d

SHA256
20fe124ed5978de0b1cbb5399a0919d9b6450a350ead2df8e23dd9c7a5773950

SHA512
3cf8531d0654074b34e73b9de501e3807279bb8f764d7191e03d7222f275206820852b63b946cb8121b87f47fd52f292c823f6be3869ff8727c2eabb56b9ec0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e995452a4aca41d79ebbba5fbec8131b

SHA1
12a11965af4a9e8a2d07ed82b403587e384e5149

SHA256
9f7759c57dfb3ae70008787723534a8d428af4413fa533f92f9497ca8af3043e

SHA512
49fbbe008a76201b4e696cdd980593ed16103c2e5429ec5b75f691ae6aa9b514b1f5d09aa5fe595cd50f577a854d331475589ddc95cead31d14305b7eaf65994

Download Submit
memory/600-143-0x0000000000370000-0x00000000004EE000-memory.dmp

Filesize
1.5MB

Download
memory/600-144-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1144-83-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1144-64-0x0000000000940000-0x0000000000ABE000-memory.dmp

Filesize
1.5MB

Download
memory/1400-217-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1400-216-0x0000000000FC0000-0x000000000113E000-memory.dmp

Filesize
1.5MB

Download
memory/1432-131-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1432-130-0x00000000010D0000-0x000000000124E000-memory.dmp

Filesize
1.5MB

Download
memory/1576-157-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/1576-156-0x00000000013B0000-0x000000000152E000-memory.dmp

Filesize
1.5MB

Download
memory/1716-193-0x0000000000DF0000-0x0000000000F6E000-memory.dmp

Filesize
1.5MB

Download
memory/2128-94-0x0000000000130000-0x00000000002AE000-memory.dmp

Filesize
1.5MB

Download
memory/2384-118-0x0000000000110000-0x000000000028E000-memory.dmp

Filesize
1.5MB

Download
memory/2416-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

Filesize
4KB

Download
memory/2416-17-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/2416-15-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/2416-20-0x00000000021C0000-0x00000000021CC000-memory.dmp

Filesize
48KB

Download
memory/2416-14-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2416-1-0x00000000000F0000-0x000000000026E000-memory.dmp

Filesize
1.5MB

Download
memory/2416-13-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/2416-2-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-12-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2416-21-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2416-82-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-9-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2416-10-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/2416-11-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2416-8-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/2416-16-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/2416-52-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-7-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2416-6-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2416-24-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-4-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2416-5-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2416-18-0x00000000021B0000-0x00000000021B8000-memory.dmp

Filesize
32KB

Download
memory/2416-3-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2488-229-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2592-106-0x0000000000BD0000-0x0000000000D4E000-memory.dmp

Filesize
1.5MB

Download
memory/2600-181-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2600-180-0x00000000000D0000-0x000000000024E000-memory.dmp

Filesize
1.5MB

Download
memory/2660-80-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2948-81-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download