e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bff2e9336d217437b4cca77856867f1b.exe
Size

1.9MB
MD5

bff2e9336d217437b4cca77856867f1b
SHA1

99f8ea54c8fc0cd346a9e068ed4e697e6f6ec264
SHA256

a6a8385b2dfec8b247a806f97a08878ee058b8155cb43f6b61924d849b0c608a
SHA512

3bcd140119ec7035d36bd714e2f0069a5df017ed5c2356bd233e22b845a07fc3aecc9851e88bcfbbad92184ccf3e500cce10734fa2949beba40c7d7d99ce3655
SSDEEP

24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

Score

10^/10

defense_evasion execution trojan

Malware Config

Signatures

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2864	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2864	schtasks.exe	30

UAC bypass 3 TTPs 39 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe
2488	powershell.exe
1064	powershell.exe
988	powershell.exe
824	powershell.exe
2424	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bff2e9336d217437b4cca77856867f1b.exe

Executes dropped EXE 12 IoCs

pid	Process
984	bff2e9336d217437b4cca77856867f1b.exe
3020	services.exe
2224	services.exe
1408	services.exe
2136	services.exe
2316	services.exe
1952	services.exe
304	services.exe
2976	services.exe
2824	services.exe
2808	services.exe
2740	services.exe

Checks whether UAC is enabled 1 TTPs 26 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bff2e9336d217437b4cca77856867f1b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bff2e9336d217437b4cca77856867f1b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\de-DE\RCX8C2C.tmp	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\de-DE\bff2e9336d217437b4cca77856867f1b.exe	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\de-DE\bff2e9336d217437b4cca77856867f1b.exe	bff2e9336d217437b4cca77856867f1b.exe
File created	C:\Windows\de-DE\8a16fdd0b7bdee	bff2e9336d217437b4cca77856867f1b.exe
File opened for modification	C:\Windows\de-DE\RCX8C2B.tmp	bff2e9336d217437b4cca77856867f1b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2960	schtasks.exe
3008	schtasks.exe
2696	schtasks.exe
2664	schtasks.exe
2388	schtasks.exe
2836	schtasks.exe
2692	schtasks.exe
2144	schtasks.exe
2340	schtasks.exe
476	schtasks.exe
2068	schtasks.exe
2160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2464	bff2e9336d217437b4cca77856867f1b.exe
2488	powershell.exe
2760	powershell.exe
1064	powershell.exe
984	bff2e9336d217437b4cca77856867f1b.exe
984	bff2e9336d217437b4cca77856867f1b.exe
984	bff2e9336d217437b4cca77856867f1b.exe
984	bff2e9336d217437b4cca77856867f1b.exe
984	bff2e9336d217437b4cca77856867f1b.exe
988	powershell.exe
824	powershell.exe
2424	powershell.exe
3020	services.exe
2224	services.exe
1408	services.exe
2136	services.exe
2316	services.exe
1952	services.exe
304	services.exe
2976	services.exe
2824	services.exe
2808	services.exe
2740	services.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	bff2e9336d217437b4cca77856867f1b.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	984	bff2e9336d217437b4cca77856867f1b.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	3020	services.exe
Token: SeDebugPrivilege	2224	services.exe
Token: SeDebugPrivilege	1408	services.exe
Token: SeDebugPrivilege	2136	services.exe
Token: SeDebugPrivilege	2316	services.exe
Token: SeDebugPrivilege	1952	services.exe
Token: SeDebugPrivilege	304	services.exe
Token: SeDebugPrivilege	2976	services.exe
Token: SeDebugPrivilege	2824	services.exe
Token: SeDebugPrivilege	2808	services.exe
Token: SeDebugPrivilege	2740	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2760	2464	bff2e9336d217437b4cca77856867f1b.exe	37
PID 2464 wrote to memory of 2760	2464	bff2e9336d217437b4cca77856867f1b.exe	37
PID 2464 wrote to memory of 2760	2464	bff2e9336d217437b4cca77856867f1b.exe	37
PID 2464 wrote to memory of 1064	2464	bff2e9336d217437b4cca77856867f1b.exe	38
PID 2464 wrote to memory of 1064	2464	bff2e9336d217437b4cca77856867f1b.exe	38
PID 2464 wrote to memory of 1064	2464	bff2e9336d217437b4cca77856867f1b.exe	38
PID 2464 wrote to memory of 2488	2464	bff2e9336d217437b4cca77856867f1b.exe	39
PID 2464 wrote to memory of 2488	2464	bff2e9336d217437b4cca77856867f1b.exe	39
PID 2464 wrote to memory of 2488	2464	bff2e9336d217437b4cca77856867f1b.exe	39
PID 2464 wrote to memory of 2976	2464	bff2e9336d217437b4cca77856867f1b.exe	43
PID 2464 wrote to memory of 2976	2464	bff2e9336d217437b4cca77856867f1b.exe	43
PID 2464 wrote to memory of 2976	2464	bff2e9336d217437b4cca77856867f1b.exe	43
PID 2976 wrote to memory of 944	2976	cmd.exe	45
PID 2976 wrote to memory of 944	2976	cmd.exe	45
PID 2976 wrote to memory of 944	2976	cmd.exe	45
PID 2976 wrote to memory of 984	2976	cmd.exe	46
PID 2976 wrote to memory of 984	2976	cmd.exe	46
PID 2976 wrote to memory of 984	2976	cmd.exe	46
PID 984 wrote to memory of 988	984	bff2e9336d217437b4cca77856867f1b.exe	53
PID 984 wrote to memory of 988	984	bff2e9336d217437b4cca77856867f1b.exe	53
PID 984 wrote to memory of 988	984	bff2e9336d217437b4cca77856867f1b.exe	53
PID 984 wrote to memory of 824	984	bff2e9336d217437b4cca77856867f1b.exe	54
PID 984 wrote to memory of 824	984	bff2e9336d217437b4cca77856867f1b.exe	54
PID 984 wrote to memory of 824	984	bff2e9336d217437b4cca77856867f1b.exe	54
PID 984 wrote to memory of 2424	984	bff2e9336d217437b4cca77856867f1b.exe	55
PID 984 wrote to memory of 2424	984	bff2e9336d217437b4cca77856867f1b.exe	55
PID 984 wrote to memory of 2424	984	bff2e9336d217437b4cca77856867f1b.exe	55
PID 984 wrote to memory of 1472	984	bff2e9336d217437b4cca77856867f1b.exe	59
PID 984 wrote to memory of 1472	984	bff2e9336d217437b4cca77856867f1b.exe	59
PID 984 wrote to memory of 1472	984	bff2e9336d217437b4cca77856867f1b.exe	59
PID 1472 wrote to memory of 3036	1472	cmd.exe	61
PID 1472 wrote to memory of 3036	1472	cmd.exe	61
PID 1472 wrote to memory of 3036	1472	cmd.exe	61
PID 1472 wrote to memory of 3020	1472	cmd.exe	62
PID 1472 wrote to memory of 3020	1472	cmd.exe	62
PID 1472 wrote to memory of 3020	1472	cmd.exe	62
PID 3020 wrote to memory of 2768	3020	services.exe	63
PID 3020 wrote to memory of 2768	3020	services.exe	63
PID 3020 wrote to memory of 2768	3020	services.exe	63
PID 3020 wrote to memory of 2888	3020	services.exe	64
PID 3020 wrote to memory of 2888	3020	services.exe	64
PID 3020 wrote to memory of 2888	3020	services.exe	64
PID 2768 wrote to memory of 2224	2768	WScript.exe	65
PID 2768 wrote to memory of 2224	2768	WScript.exe	65
PID 2768 wrote to memory of 2224	2768	WScript.exe	65
PID 2224 wrote to memory of 436	2224	services.exe	66
PID 2224 wrote to memory of 436	2224	services.exe	66
PID 2224 wrote to memory of 436	2224	services.exe	66
PID 2224 wrote to memory of 348	2224	services.exe	67
PID 2224 wrote to memory of 348	2224	services.exe	67
PID 2224 wrote to memory of 348	2224	services.exe	67
PID 436 wrote to memory of 1408	436	WScript.exe	68
PID 436 wrote to memory of 1408	436	WScript.exe	68
PID 436 wrote to memory of 1408	436	WScript.exe	68
PID 1408 wrote to memory of 2504	1408	services.exe	69
PID 1408 wrote to memory of 2504	1408	services.exe	69
PID 1408 wrote to memory of 2504	1408	services.exe	69
PID 1408 wrote to memory of 1612	1408	services.exe	70
PID 1408 wrote to memory of 1612	1408	services.exe	70
PID 1408 wrote to memory of 1612	1408	services.exe	70
PID 2504 wrote to memory of 2136	2504	WScript.exe	71
PID 2504 wrote to memory of 2136	2504	WScript.exe	71
PID 2504 wrote to memory of 2136	2504	WScript.exe	71
PID 2136 wrote to memory of 2228	2136	services.exe	72

System policy modification 1 TTPs 39 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bff2e9336d217437b4cca77856867f1b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bff2e9336d217437b4cca77856867f1b.exe
"C:\Users\Admin\AppData\Local\Temp\bff2e9336d217437b4cca77856867f1b.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bff2e9336d217437b4cca77856867f1b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\bff2e9336d217437b4cca77856867f1b.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\muDeaX4DM6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\bff2e9336d217437b4cca77856867f1b.exe
    "C:\Users\Admin\AppData\Local\Temp\bff2e9336d217437b4cca77856867f1b.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bff2e9336d217437b4cca77856867f1b.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\bff2e9336d217437b4cca77856867f1b.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2424
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hDAdBh8fSA.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3036
    - - C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3020
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8e2dafc-4cac-46e2-a067-80fc9ec097e9.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43b4cff4-b822-4d78-9cd1-6c3e3c24270a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3df330a9-040c-4deb-a497-8d74f98af225.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bac14497-99e4-48af-b81c-0ba2e49e7043.vbs"
        12⤵
        
        PID:2228
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15d933b5-e619-43f1-ae2a-42879a02cab7.vbs"
        14⤵
        
        PID:896
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d907083-adf9-4832-ab36-0b5bd1ff59bc.vbs"
        16⤵
        
        PID:2288
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cd89917-f000-4f50-9b56-50f63d370544.vbs"
        18⤵
        
        PID:2488
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\474bbd8b-c25b-487e-8fe0-9058a1c7b55f.vbs"
        20⤵
        
        PID:2496
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58543719-88cf-483b-950b-650f4b0cf7e1.vbs"
        22⤵
        
        PID:1936
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f5a16f9-bd97-4dcf-9e87-90c0ada8feac.vbs"
        24⤵
        
        PID:1560
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b314538-c008-4ff8-9b88-7312385b1656.vbs"
        26⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5933c9f3-1fdc-4c32-a1f2-a0731f91d4ca.vbs"
        26⤵
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3d057a3-fd6d-42bc-9e15-21f454952fab.vbs"
        24⤵
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d41e7c0d-913f-4213-8110-f1ea00157945.vbs"
        22⤵
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbc06889-3b40-40ad-bb1e-5af0d2b187be.vbs"
        20⤵
        
        PID:2388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b986bcab-1019-4c32-86d9-ba63094b2e53.vbs"
        18⤵
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\808e7ddd-f1d6-4861-9d76-80083ca64444.vbs"
        16⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fbfb336-72e7-4583-ac0d-8131060e1a81.vbs"
        14⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66a1736b-e8c7-43cc-98e4-544020707c95.vbs"
        12⤵
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b6bf073-2b9b-44e0-8eb9-adcf74bf80b7.vbs"
        10⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ae4653c-7635-4a44-92bb-f20d2ab2db3d.vbs"
        8⤵
        
        PID:348
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f1e7799-30d9-4461-af7e-e9c226a006de.vbs"
        6⤵
        
        PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bff2e9336d217437b4cca77856867f1bb" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\bff2e9336d217437b4cca77856867f1b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bff2e9336d217437b4cca77856867f1b" /sc ONLOGON /tr "'C:\Windows\de-DE\bff2e9336d217437b4cca77856867f1b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bff2e9336d217437b4cca77856867f1bb" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\bff2e9336d217437b4cca77856867f1b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bff2e9336d217437b4cca77856867f1bb" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\bff2e9336d217437b4cca77856867f1b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bff2e9336d217437b4cca77856867f1b" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\bff2e9336d217437b4cca77856867f1b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bff2e9336d217437b4cca77856867f1bb" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\bff2e9336d217437b4cca77856867f1b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0f1e7799-30d9-4461-af7e-e9c226a006de.vbs

Filesize
486B

MD5
4c0a1ba421c7842aa6d1fb131d2eb3c5

SHA1
dde38e1c34b25a24f7167b0641aa329b323fe7ac

SHA256
40ee6003ef48e38f93be4ebe16c91d1c161235ec8f6036bc338731caba5aea87

SHA512
be7edd740e69b3b91de670010ffe4a7b7cd445cd6bde7118ce57b9099a1a5070f8b81e1db829762676c35da583e535abf30fcff8d7d0c2dd0ad3b5a032ca1e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\15d933b5-e619-43f1-ae2a-42879a02cab7.vbs

Filesize
710B

MD5
863266792c135616482c2af3c268bcac

SHA1
b0eb53a99af6057013c3c7211eabfa5f9ff68490

SHA256
0e940fc424616709af49f210b381875c767e96b6d8fe4be2b0e66e44735c3dc5

SHA512
c64b1bd95c4a7edda63de5e5035a277e5d073bada29b66d747647ba4ce0c79b0f73a1892e88456fcd11acf59f7708eba53ece92f807c7536e27e9fe1056eebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3cd89917-f000-4f50-9b56-50f63d370544.vbs

Filesize
709B

MD5
2167af2707748d6f8980877852628712

SHA1
f2dcc908752d9e8f06bdc8dd01de012c59dbd93e

SHA256
e830c36df66117dc32cfeb94401b82ff1f887f9fc7d0c23149b3b8e463592292

SHA512
2c6a19575f5bdfce54a52a2869c3f4e18e5aeef9346fbd428cce8cbb66391504394bcefa026203750a8d761ff4f9c2b8899348e2f30229430ee8bbdcd61c1bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\3df330a9-040c-4deb-a497-8d74f98af225.vbs

Filesize
710B

MD5
ce47b297801932ea1f23a4ccab349a8f

SHA1
7416a858704d5cfa86576363a1eb4aff664a1f6b

SHA256
ed01dbacc547fc286d5df54d85868aa5701ec1b8ed21e397a0939db94397de9d

SHA512
0928fd3c57b0866635ef8a0b673c93784226827f50f676520d71bea2ccb6b56c7d70aa2399a2594f2c4f4b4310f56d78f28567ee853bbe101bc4ac92221487f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f5a16f9-bd97-4dcf-9e87-90c0ada8feac.vbs

Filesize
710B

MD5
11b356710f732eb4597647463c96d131

SHA1
17737af7d9b35bf05a136a5da378597cca4ad449

SHA256
ce53a6f72763ed92281dedb68679f5e7ef20d5d52be69097e14794825ecd99af

SHA512
bf6a7418b73726244adb666b00477dfce83d36dfc0973f2c0d6c26aa16aa1ad0d76a6c925a3de871064e8e74ff029d11a3e06a74ab9037fe2bf978f22d6b9a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\43b4cff4-b822-4d78-9cd1-6c3e3c24270a.vbs

Filesize
710B

MD5
5752b82cf1540409c07b361ea2dfb1b4

SHA1
f6eb505757487e78c5402afc0e3748a3d6c6eb72

SHA256
daa1bd01c945c2bec04a71d967ec2b87a5e4d7d2f082a8adbc581c828e7a4eeb

SHA512
62103974aadd6245762296124d776082c3f7bd40cef545e162df898247436e0a13ea82a35906860aad6ed7510139217668d2b4b139735b7e410df60bf78c63cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\474bbd8b-c25b-487e-8fe0-9058a1c7b55f.vbs

Filesize
710B

MD5
b073a5a1e3bce2ffda71d18386094028

SHA1
4117743014250a71d13652d0d05689c2baf291ae

SHA256
380ea119734295687851090d821c2f5db094d18e495df3d043c9180d83cabf81

SHA512
d20f22b5d28f59d9411ba76a3a5468d12c94d31c5870efa3a72fdf4b543bdd9762c1c40e6a62e11b17fe470c3f1bf494f4f1f4e8861eced784d13a974ce4cb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d907083-adf9-4832-ab36-0b5bd1ff59bc.vbs

Filesize
710B

MD5
9a4d4821735fadb7050c570c05087f80

SHA1
13c23ebae5da5d6c9ddc723d701c3e5ac313f345

SHA256
f97071ed30f4b97c7497256b436b3fd15eeb32303a5e3e8de6f48ee9600d8f9f

SHA512
738bc240424ba024f7fdd78fdfb8e27f866d212945084a550b46eb87acfac80522c3c8bf19cd56d7b615caecc195c49776fc3f9010d1c2f18314f0f433db519f

Download Submit
C:\Users\Admin\AppData\Local\Temp\58543719-88cf-483b-950b-650f4b0cf7e1.vbs

Filesize
710B

MD5
d2b75e145d35fd438f5ce30e3479f888

SHA1
3befb0387a5a396e9f77a8e7b91928267b14c224

SHA256
443c2e7ba7ebb72345ca07fbaaafe60cffe01eb69bc2219f17f1793dcf7e0d72

SHA512
ab8e6addf1edc39b13f75364ea83438ae1212bc3333732317dfaa1df6bbb2d15ea18562dd7efe223ca9adedd4b0a1ceaf88f31b3f62392a081e5d0796f4d7235

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b314538-c008-4ff8-9b88-7312385b1656.vbs

Filesize
710B

MD5
d7ae677c6d962a460878a46d6e41f196

SHA1
d6583a3821049aef558b07511a05c898447a32bf

SHA256
b2f3798d60183f2afe5b24a94e2cb0bcb1451e2d0f58308b7fd3a9736c01e62f

SHA512
1696b1e88e989ea7d473395e7772f59cbf2e1f3432e5d25608f493eecc3f7cfe92909fe7499451f8a7c8b5aaebb2511d3cff423fd6d3870cadf24eef689b9755

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8e2dafc-4cac-46e2-a067-80fc9ec097e9.vbs

Filesize
710B

MD5
b680779b46bd3d70740986d0e734f59b

SHA1
3aedafa154d61be3861112068e7b6384988af55e

SHA256
3596ae5413a3291b44dd377425acab3c57540e70f9bf4716e4e090ff896727ca

SHA512
26de753c45c5f047dffbe4cf2c67da0d9d02594353e0d22560e509e1376be595c4444fee98194dece9a708d19927711c5e263d456813db353a8f9ae3f9c35aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\bac14497-99e4-48af-b81c-0ba2e49e7043.vbs

Filesize
710B

MD5
987a57b0a9715a83fce1924ce7b16e6f

SHA1
94e2c5213d1027487823f28a8425eb785fa7122c

SHA256
d763757b0371f88214e91ae5a5cb7c1ffcc24e9cf9c48f05e4e43a60357f96c3

SHA512
c24ba1fffb2a585b31844748dc4d92cab070b31765d99a074c01845260f75969bd1e71d80fa84857bfbd8b5cd1a18a3050ccb14e4a7084a9072e6da69fbc28cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hDAdBh8fSA.bat

Filesize
199B

MD5
010b26634bc7a04b19c0420cdb36557c

SHA1
5ac4e6105fb43c261c8feb5383328c30733bf169

SHA256
c7820a077048ae2c44ebb4245cbaf9d4d62b8a15611c6f6d25ae16587a63ce48

SHA512
54367c3a26c2aa3d28d2558017fb5693cdba9f826691bd654b0bc5ee1198250f6dc2499269373db5f289f8f6b7713682fcc4fb3d11297d0dfd1cc2eef1b90745

Download Submit
C:\Users\Admin\AppData\Local\Temp\muDeaX4DM6.bat

Filesize
235B

MD5
3e71acf1a67dc84af296eaa09a511e4b

SHA1
3020cd7e320d3391b78696fdbc9c572bdb73e203

SHA256
aedd9ed10eaaecd52deca07ba354a9a084bd633af7bcae58fbcb3049896aec45

SHA512
31de2fa1a1d3a849a2c4086b3bebe86eb209fa42dba7ef1a08fe21226f8b0aa69a6c69e34b76a44a1b8024376a862bbd6411e85353c36b0b01617d57e8ac15c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2DEA.tmp

Filesize
384B

MD5
597245bafd5771f9ecf99654f9f48f4a

SHA1
66e25080e8316cfde3ffeeaf8b28c9a98874b890

SHA256
9df1cc5d31aebf12af6cd1473867f8f5bbd706b2fa908c2804d8b9f616b0e988

SHA512
c6c54670d123d5e6935eb487f7e73ee2816e7875eb77ae9a1aa7c35d72a6a1b35004a530ba922b937e1facbf718b098f6490cb097268ffcda7ef6b489583d1cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6909ce60ce7869894da0855c9af2637c

SHA1
8d90b0f3fe676e5e14c3a184c86085900bda31d6

SHA256
2666a3c1e37311098374c91e27a17334c572561da0ef8b82575247acb2973742

SHA512
fd817a88ea35f43fe91d751d11fb4b473ad143f6d7669470af2a268d381e179d7ae5c4489070330925e48282d1fe0d4797990bb12cbbe133c54582c9fdefa283

Download Submit
C:\Windows\de-DE\bff2e9336d217437b4cca77856867f1b.exe

Filesize
1.9MB

MD5
bff2e9336d217437b4cca77856867f1b

SHA1
99f8ea54c8fc0cd346a9e068ed4e697e6f6ec264

SHA256
a6a8385b2dfec8b247a806f97a08878ee058b8155cb43f6b61924d849b0c608a

SHA512
3bcd140119ec7035d36bd714e2f0069a5df017ed5c2356bd233e22b845a07fc3aecc9851e88bcfbbad92184ccf3e500cce10734fa2949beba40c7d7d99ce3655

Download Submit
memory/304-184-0x0000000000240000-0x000000000042A000-memory.dmp

Filesize
1.9MB

Download
memory/984-78-0x00000000009C0000-0x0000000000A16000-memory.dmp

Filesize
344KB

Download
memory/984-77-0x00000000000A0000-0x000000000028A000-memory.dmp

Filesize
1.9MB

Download
memory/984-79-0x00000000021E0000-0x00000000021F2000-memory.dmp

Filesize
72KB

Download
memory/988-100-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/988-105-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1952-172-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2224-126-0x0000000001060000-0x000000000124A000-memory.dmp

Filesize
1.9MB

Download
memory/2316-160-0x0000000001150000-0x000000000133A000-memory.dmp

Filesize
1.9MB

Download
memory/2464-17-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/2464-9-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2464-6-0x0000000000690000-0x00000000006A6000-memory.dmp

Filesize
88KB

Download
memory/2464-0-0x000007FEF5AF3000-0x000007FEF5AF4000-memory.dmp

Filesize
4KB

Download
memory/2464-14-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2464-1-0x0000000000D90000-0x0000000000F7A000-memory.dmp

Filesize
1.9MB

Download
memory/2464-15-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/2464-16-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2464-75-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2464-2-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2464-18-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/2464-13-0x0000000000960000-0x000000000096C000-memory.dmp

Filesize
48KB

Download
memory/2464-4-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2464-5-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/2464-3-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2464-10-0x0000000000920000-0x0000000000928000-memory.dmp

Filesize
32KB

Download
memory/2464-12-0x0000000000930000-0x0000000000942000-memory.dmp

Filesize
72KB

Download
memory/2464-8-0x00000000006B0000-0x0000000000706000-memory.dmp

Filesize
344KB

Download
memory/2464-7-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2488-72-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2740-232-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/2760-73-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2824-208-0x0000000000B30000-0x0000000000B86000-memory.dmp

Filesize
344KB

Download
memory/2824-209-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2976-196-0x0000000001280000-0x000000000146A000-memory.dmp

Filesize
1.9MB

Download
memory/3020-115-0x00000000001A0000-0x000000000038A000-memory.dmp

Filesize
1.9MB

Download