dcrat | f7d4d0c674f3dc9ad0b2bc85b65c1cd2eea9e25d67c86790e30b0ff3452fb82a

Analysis

max time kernel
102s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/09/2022, 00:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11f790ade80bc83204d10e4c7cf2f957.exe
Size

2.6MB
MD5

11f790ade80bc83204d10e4c7cf2f957
SHA1

f59adc7146d76222816821ec5d9e11fbfc501f9e
SHA256

f7d4d0c674f3dc9ad0b2bc85b65c1cd2eea9e25d67c86790e30b0ff3452fb82a
SHA512

9fb975c8fc25c981fdc89c72fdf81eb11a3a71a4c86231892ad9d2a53f51701d75c50c6b1da57c8a9ac669c35816d1691b4364bdfe08a23f01f8a57b1932f184
SSDEEP

49152:+pTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:+ZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1916	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1916	schtasks.exe	28

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11f790ade80bc83204d10e4c7cf2f957.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1980-54-0x00000000011E0000-0x0000000001484000-memory.dmp	dcrat
behavioral1/files/0x00070000000126a6-121.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2184	11f790ade80bc83204d10e4c7cf2f957.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11f790ade80bc83204d10e4c7cf2f957.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\fr-FR\lsass.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files\Windows Mail\fr-FR\6203df4a6bafc7	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\27d1bcfc3c54e0	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX6079.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX63F3.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX7BDA.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX9FB5.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\101b941d020240	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCXCFE.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCX30AB.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\lsass.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Uninstall Information\Idle.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files\Uninstall Information\Idle.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\RCX1079.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCX3425.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX7860.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files\Uninstall Information\6ccacd8608530f	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX9C3B.tmp	11f790ade80bc83204d10e4c7cf2f957.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteApps\smss.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\DigitalLocker\WMIADAP.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCX5485.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\56085415360792	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\de-DE\wininit.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\RCX2841.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\de-DE\RCX4C0C.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\de-DE\wininit.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\wininit.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\wininit.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\smss.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\wininit.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\Globalization\MCT\RCXABA9.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\DigitalLocker\RCX18F2.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\DigitalLocker\RCX1C5D.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\RCX24D6.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCX5800.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCX8454.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\Globalization\MCT\RCXA82F.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\DigitalLocker\WMIADAP.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\DigitalLocker\75a57c1bdf437c	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\de-DE\56085415360792	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\56085415360792	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\wininit.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\RemotePackages\RemoteApps\69ddcba757bf72	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCX87CE.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\Globalization\MCT\wininit.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\Globalization\MCT\56085415360792	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\de-DE\RCX4892.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\Globalization\MCT\wininit.exe	11f790ade80bc83204d10e4c7cf2f957.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
920	schtasks.exe
968	schtasks.exe
1592	schtasks.exe
1076	schtasks.exe
2088	schtasks.exe
2144	schtasks.exe
524	schtasks.exe
1048	schtasks.exe
1296	schtasks.exe
2120	schtasks.exe
2188	schtasks.exe
1652	schtasks.exe
1588	schtasks.exe
1012	schtasks.exe
1484	schtasks.exe
824	schtasks.exe
1496	schtasks.exe
1044	schtasks.exe
1780	schtasks.exe
1044	schtasks.exe
1332	schtasks.exe
1764	schtasks.exe
1108	schtasks.exe
1224	schtasks.exe
1492	schtasks.exe
1316	schtasks.exe
2012	schtasks.exe
1836	schtasks.exe
2168	schtasks.exe
848	schtasks.exe
1936	schtasks.exe
1408	schtasks.exe
1928	schtasks.exe
1404	schtasks.exe
1724	schtasks.exe
1672	schtasks.exe
1260	schtasks.exe
1296	schtasks.exe
1116	schtasks.exe
744	schtasks.exe
268	schtasks.exe
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe
1980	11f790ade80bc83204d10e4c7cf2f957.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	11f790ade80bc83204d10e4c7cf2f957.exe
Token: SeDebugPrivilege	2184	11f790ade80bc83204d10e4c7cf2f957.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2252	1980	11f790ade80bc83204d10e4c7cf2f957.exe	71
PID 1980 wrote to memory of 2252	1980	11f790ade80bc83204d10e4c7cf2f957.exe	71
PID 1980 wrote to memory of 2252	1980	11f790ade80bc83204d10e4c7cf2f957.exe	71
PID 1980 wrote to memory of 2264	1980	11f790ade80bc83204d10e4c7cf2f957.exe	72
PID 1980 wrote to memory of 2264	1980	11f790ade80bc83204d10e4c7cf2f957.exe	72
PID 1980 wrote to memory of 2264	1980	11f790ade80bc83204d10e4c7cf2f957.exe	72
PID 1980 wrote to memory of 2284	1980	11f790ade80bc83204d10e4c7cf2f957.exe	80
PID 1980 wrote to memory of 2284	1980	11f790ade80bc83204d10e4c7cf2f957.exe	80
PID 1980 wrote to memory of 2284	1980	11f790ade80bc83204d10e4c7cf2f957.exe	80
PID 1980 wrote to memory of 2304	1980	11f790ade80bc83204d10e4c7cf2f957.exe	73
PID 1980 wrote to memory of 2304	1980	11f790ade80bc83204d10e4c7cf2f957.exe	73
PID 1980 wrote to memory of 2304	1980	11f790ade80bc83204d10e4c7cf2f957.exe	73
PID 1980 wrote to memory of 2324	1980	11f790ade80bc83204d10e4c7cf2f957.exe	76
PID 1980 wrote to memory of 2324	1980	11f790ade80bc83204d10e4c7cf2f957.exe	76
PID 1980 wrote to memory of 2324	1980	11f790ade80bc83204d10e4c7cf2f957.exe	76
PID 1980 wrote to memory of 2344	1980	11f790ade80bc83204d10e4c7cf2f957.exe	78
PID 1980 wrote to memory of 2344	1980	11f790ade80bc83204d10e4c7cf2f957.exe	78
PID 1980 wrote to memory of 2344	1980	11f790ade80bc83204d10e4c7cf2f957.exe	78
PID 1980 wrote to memory of 2380	1980	11f790ade80bc83204d10e4c7cf2f957.exe	81
PID 1980 wrote to memory of 2380	1980	11f790ade80bc83204d10e4c7cf2f957.exe	81
PID 1980 wrote to memory of 2380	1980	11f790ade80bc83204d10e4c7cf2f957.exe	81
PID 1980 wrote to memory of 2408	1980	11f790ade80bc83204d10e4c7cf2f957.exe	83
PID 1980 wrote to memory of 2408	1980	11f790ade80bc83204d10e4c7cf2f957.exe	83
PID 1980 wrote to memory of 2408	1980	11f790ade80bc83204d10e4c7cf2f957.exe	83
PID 1980 wrote to memory of 2476	1980	11f790ade80bc83204d10e4c7cf2f957.exe	84
PID 1980 wrote to memory of 2476	1980	11f790ade80bc83204d10e4c7cf2f957.exe	84
PID 1980 wrote to memory of 2476	1980	11f790ade80bc83204d10e4c7cf2f957.exe	84
PID 1980 wrote to memory of 2580	1980	11f790ade80bc83204d10e4c7cf2f957.exe	85
PID 1980 wrote to memory of 2580	1980	11f790ade80bc83204d10e4c7cf2f957.exe	85
PID 1980 wrote to memory of 2580	1980	11f790ade80bc83204d10e4c7cf2f957.exe	85
PID 1980 wrote to memory of 2660	1980	11f790ade80bc83204d10e4c7cf2f957.exe	97
PID 1980 wrote to memory of 2660	1980	11f790ade80bc83204d10e4c7cf2f957.exe	97
PID 1980 wrote to memory of 2660	1980	11f790ade80bc83204d10e4c7cf2f957.exe	97
PID 1980 wrote to memory of 2696	1980	11f790ade80bc83204d10e4c7cf2f957.exe	87
PID 1980 wrote to memory of 2696	1980	11f790ade80bc83204d10e4c7cf2f957.exe	87
PID 1980 wrote to memory of 2696	1980	11f790ade80bc83204d10e4c7cf2f957.exe	87
PID 1980 wrote to memory of 2744	1980	11f790ade80bc83204d10e4c7cf2f957.exe	88
PID 1980 wrote to memory of 2744	1980	11f790ade80bc83204d10e4c7cf2f957.exe	88
PID 1980 wrote to memory of 2744	1980	11f790ade80bc83204d10e4c7cf2f957.exe	88
PID 1980 wrote to memory of 2808	1980	11f790ade80bc83204d10e4c7cf2f957.exe	93
PID 1980 wrote to memory of 2808	1980	11f790ade80bc83204d10e4c7cf2f957.exe	93
PID 1980 wrote to memory of 2808	1980	11f790ade80bc83204d10e4c7cf2f957.exe	93
PID 1980 wrote to memory of 2860	1980	11f790ade80bc83204d10e4c7cf2f957.exe	91
PID 1980 wrote to memory of 2860	1980	11f790ade80bc83204d10e4c7cf2f957.exe	91
PID 1980 wrote to memory of 2860	1980	11f790ade80bc83204d10e4c7cf2f957.exe	91
PID 1980 wrote to memory of 2184	1980	11f790ade80bc83204d10e4c7cf2f957.exe	101
PID 1980 wrote to memory of 2184	1980	11f790ade80bc83204d10e4c7cf2f957.exe	101
PID 1980 wrote to memory of 2184	1980	11f790ade80bc83204d10e4c7cf2f957.exe	101

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11f790ade80bc83204d10e4c7cf2f957.exe

C:\Users\Admin\AppData\Local\Temp\11f790ade80bc83204d10e4c7cf2f957.exe
"C:\Users\Admin\AppData\Local\Temp\11f790ade80bc83204d10e4c7cf2f957.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\11f790ade80bc83204d10e4c7cf2f957.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\lsass.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\services.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\WMIADAP.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\11f790ade80bc83204d10e4c7cf2f957.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\MCT\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\Idle.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\11f790ade80bc83204d10e4c7cf2f957.exe
  "C:\Users\Admin\AppData\Local\Temp\11f790ade80bc83204d10e4c7cf2f957.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fr-FR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteApps\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11f790ade80bc83204d10e4c7cf2f9571" /sc MINUTE /mo 12 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\11f790ade80bc83204d10e4c7cf2f957.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11f790ade80bc83204d10e4c7cf2f957" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\11f790ade80bc83204d10e4c7cf2f957.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11f790ade80bc83204d10e4c7cf2f9571" /sc MINUTE /mo 7 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\11f790ade80bc83204d10e4c7cf2f957.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\MCT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\MCT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11f790ade80bc83204d10e4c7cf2f957.exe

Filesize
2.6MB

MD5
11f790ade80bc83204d10e4c7cf2f957

SHA1
f59adc7146d76222816821ec5d9e11fbfc501f9e

SHA256
f7d4d0c674f3dc9ad0b2bc85b65c1cd2eea9e25d67c86790e30b0ff3452fb82a

SHA512
9fb975c8fc25c981fdc89c72fdf81eb11a3a71a4c86231892ad9d2a53f51701d75c50c6b1da57c8a9ac669c35816d1691b4364bdfe08a23f01f8a57b1932f184

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
48984d1ee57ce393e261a75e91548337

SHA1
ecb5f9ae32d387dd99c510fc90884193fab97ca7

SHA256
594a8496a4fbeb9263cb4066890bad7a6595e5091686771713e7e9b07828ca2f

SHA512
66b3383456c0fc696643f1e68292e85a0ed3720d22d601b107383d6cbd19065385e413f18946d6ff1004f94d8c20ac2217d48398eebf9e2381e6e1b75982d1f9

Download Submit
memory/1980-64-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/1980-61-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/1980-72-0x000000001A8B0000-0x000000001A8BC000-memory.dmp

Filesize
48KB

Download
memory/1980-71-0x000000001A8A0000-0x000000001A8A8000-memory.dmp

Filesize
32KB

Download
memory/1980-73-0x000000001B146000-0x000000001B165000-memory.dmp

Filesize
124KB

Download
memory/1980-74-0x000000001B146000-0x000000001B165000-memory.dmp

Filesize
124KB

Download
memory/1980-55-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/1980-56-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/1980-54-0x00000000011E0000-0x0000000001484000-memory.dmp

Filesize
2.6MB

Download
memory/1980-57-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/1980-58-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/1980-59-0x0000000000950000-0x0000000000962000-memory.dmp

Filesize
72KB

Download
memory/1980-69-0x00000000011D0000-0x00000000011D8000-memory.dmp

Filesize
32KB

Download
memory/1980-68-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/1980-67-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/1980-66-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/1980-65-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/1980-63-0x0000000000960000-0x000000000096C000-memory.dmp

Filesize
48KB

Download
memory/1980-62-0x0000000000980000-0x00000000009D6000-memory.dmp

Filesize
344KB

Download
memory/1980-70-0x000000001A890000-0x000000001A89E000-memory.dmp

Filesize
56KB

Download
memory/1980-127-0x000000001B146000-0x000000001B165000-memory.dmp

Filesize
124KB

Download
memory/1980-60-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/2252-152-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/2252-143-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2252-175-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/2252-186-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/2264-177-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/2264-198-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/2264-154-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/2264-86-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2264-82-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/2264-167-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/2284-185-0x000000001B920000-0x000000001BC1F000-memory.dmp

Filesize
3.0MB

Download
memory/2284-172-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/2284-140-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2284-124-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2284-197-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/2284-149-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/2304-155-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2304-161-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2304-128-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2304-178-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/2304-195-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/2324-125-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2324-200-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/2324-179-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2324-187-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/2324-163-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2324-156-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2344-123-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2344-165-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2344-204-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/2344-160-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2344-183-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/2344-193-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/2380-153-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/2380-136-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2380-176-0x00000000027A4000-0x00000000027A7000-memory.dmp

Filesize
12KB

Download
memory/2380-144-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2380-203-0x00000000027AB000-0x00000000027CA000-memory.dmp

Filesize
124KB

Download
memory/2408-122-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2408-190-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/2408-173-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/2408-150-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/2408-141-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2408-208-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/2476-189-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/2476-182-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/2476-162-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2476-159-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/2476-202-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/2476-134-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2580-205-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/2580-164-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2580-135-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2580-180-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2580-192-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/2580-157-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2660-207-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/2660-133-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2660-194-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2660-148-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/2660-139-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2660-171-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/2696-196-0x000000001B980000-0x000000001BC7F000-memory.dmp

Filesize
3.0MB

Download
memory/2696-170-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/2696-147-0x00000000024A4000-0x00000000024A7000-memory.dmp

Filesize
12KB

Download
memory/2696-129-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2696-138-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2744-184-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/2744-137-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2744-130-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2744-146-0x0000000001EE4000-0x0000000001EE7000-memory.dmp

Filesize
12KB

Download
memory/2744-169-0x0000000001EE4000-0x0000000001EE7000-memory.dmp

Filesize
12KB

Download
memory/2744-201-0x0000000001EEB000-0x0000000001F0A000-memory.dmp

Filesize
124KB

Download
memory/2808-199-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download
memory/2808-168-0x000000001B8C0000-0x000000001BBBF000-memory.dmp

Filesize
3.0MB

Download
memory/2808-174-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/2808-132-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download
memory/2808-151-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/2808-142-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2860-158-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2860-181-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2860-166-0x000007FEEDAA0000-0x000007FEEE5FD000-memory.dmp

Filesize
11.4MB

Download
memory/2860-206-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/2860-126-0x000007FEEAF10000-0x000007FEEB933000-memory.dmp

Filesize
10.1MB

Download