dcrat | f7d4d0c674f3dc9ad0b2bc85b65c1cd2eea9e25d67c86790e30b0ff3452fb82a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11f790ade80bc83204d10e4c7cf2f957.exe
Size

2.6MB
MD5

11f790ade80bc83204d10e4c7cf2f957
SHA1

f59adc7146d76222816821ec5d9e11fbfc501f9e
SHA256

f7d4d0c674f3dc9ad0b2bc85b65c1cd2eea9e25d67c86790e30b0ff3452fb82a
SHA512

9fb975c8fc25c981fdc89c72fdf81eb11a3a71a4c86231892ad9d2a53f51701d75c50c6b1da57c8a9ac669c35816d1691b4364bdfe08a23f01f8a57b1932f184
SSDEEP

49152:+pTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:+ZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	256	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	3108	schtasks.exe	56
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	3108	schtasks.exe	56

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11f790ade80bc83204d10e4c7cf2f957.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1260-132-0x0000000000280000-0x0000000000524000-memory.dmp	dcrat
behavioral2/files/0x0002000000022e36-214.dat	dcrat
behavioral2/files/0x0002000000022e36-215.dat	dcrat
behavioral2/memory/2464-216-0x00000000007C0000-0x0000000000A64000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2464	backgroundTaskHost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	11f790ade80bc83204d10e4c7cf2f957.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11f790ade80bc83204d10e4c7cf2f957.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ipinfo.io
44	ipinfo.io

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\RCXD3F4.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\explorer.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\OfficeClickToRun.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXEF6C.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXEFEA.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\7a0fd90576e088	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\smss.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXFC55.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\RCXE2F1.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\explorer.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXFCE3.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\smss.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Microsoft\Temp\e1ef82546f0b02	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Windows Portable Devices\0a1fd5f707cd16	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\69ddcba757bf72	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\RCXD376.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\RCXE36F.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\RCXF927.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\RCXF9B4.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\OfficeClickToRun.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\e6c9b481da804f	11f790ade80bc83204d10e4c7cf2f957.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Migration\WTR\RCXE610.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\Migration\WTR\RCXE69D.tmp	11f790ade80bc83204d10e4c7cf2f957.exe
File opened for modification	C:\Windows\Migration\WTR\SppExtComObj.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\Migration\WTR\SppExtComObj.exe	11f790ade80bc83204d10e4c7cf2f957.exe
File created	C:\Windows\Migration\WTR\e1ef82546f0b02	11f790ade80bc83204d10e4c7cf2f957.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4148	schtasks.exe
2772	schtasks.exe
4032	schtasks.exe
1440	schtasks.exe
3676	schtasks.exe
5060	schtasks.exe
508	schtasks.exe
3964	schtasks.exe
4364	schtasks.exe
4768	schtasks.exe
3288	schtasks.exe
3736	schtasks.exe
4572	schtasks.exe
3208	schtasks.exe
1660	schtasks.exe
1148	schtasks.exe
3752	schtasks.exe
396	schtasks.exe
4420	schtasks.exe
256	schtasks.exe
4204	schtasks.exe
4220	schtasks.exe
3888	schtasks.exe
4524	schtasks.exe
2156	schtasks.exe
5112	schtasks.exe
760	schtasks.exe
1132	schtasks.exe
3228	schtasks.exe
976	schtasks.exe
3328	schtasks.exe
2136	schtasks.exe
3900	schtasks.exe
224	schtasks.exe
3432	schtasks.exe
4448	schtasks.exe
1764	schtasks.exe
3396	schtasks.exe
1768	schtasks.exe
1800	schtasks.exe
2140	schtasks.exe
3156	schtasks.exe
4808	schtasks.exe
3716	schtasks.exe
4280	schtasks.exe
3232	schtasks.exe
2036	schtasks.exe
3560	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	11f790ade80bc83204d10e4c7cf2f957.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe
1260	11f790ade80bc83204d10e4c7cf2f957.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2464	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	11f790ade80bc83204d10e4c7cf2f957.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2464	backgroundTaskHost.exe
Token: SeBackupPrivilege	4508	vssvc.exe
Token: SeRestorePrivilege	4508	vssvc.exe
Token: SeAuditPrivilege	4508	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2464	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1828	1260	11f790ade80bc83204d10e4c7cf2f957.exe	140
PID 1260 wrote to memory of 1828	1260	11f790ade80bc83204d10e4c7cf2f957.exe	140
PID 1260 wrote to memory of 3380	1260	11f790ade80bc83204d10e4c7cf2f957.exe	148
PID 1260 wrote to memory of 3380	1260	11f790ade80bc83204d10e4c7cf2f957.exe	148
PID 1260 wrote to memory of 836	1260	11f790ade80bc83204d10e4c7cf2f957.exe	141
PID 1260 wrote to memory of 836	1260	11f790ade80bc83204d10e4c7cf2f957.exe	141
PID 1260 wrote to memory of 1640	1260	11f790ade80bc83204d10e4c7cf2f957.exe	142
PID 1260 wrote to memory of 1640	1260	11f790ade80bc83204d10e4c7cf2f957.exe	142
PID 1260 wrote to memory of 2392	1260	11f790ade80bc83204d10e4c7cf2f957.exe	144
PID 1260 wrote to memory of 2392	1260	11f790ade80bc83204d10e4c7cf2f957.exe	144
PID 1260 wrote to memory of 4620	1260	11f790ade80bc83204d10e4c7cf2f957.exe	149
PID 1260 wrote to memory of 4620	1260	11f790ade80bc83204d10e4c7cf2f957.exe	149
PID 1260 wrote to memory of 2272	1260	11f790ade80bc83204d10e4c7cf2f957.exe	174
PID 1260 wrote to memory of 2272	1260	11f790ade80bc83204d10e4c7cf2f957.exe	174
PID 1260 wrote to memory of 3668	1260	11f790ade80bc83204d10e4c7cf2f957.exe	172
PID 1260 wrote to memory of 3668	1260	11f790ade80bc83204d10e4c7cf2f957.exe	172
PID 1260 wrote to memory of 1764	1260	11f790ade80bc83204d10e4c7cf2f957.exe	152
PID 1260 wrote to memory of 1764	1260	11f790ade80bc83204d10e4c7cf2f957.exe	152
PID 1260 wrote to memory of 1544	1260	11f790ade80bc83204d10e4c7cf2f957.exe	171
PID 1260 wrote to memory of 1544	1260	11f790ade80bc83204d10e4c7cf2f957.exe	171
PID 1260 wrote to memory of 952	1260	11f790ade80bc83204d10e4c7cf2f957.exe	154
PID 1260 wrote to memory of 952	1260	11f790ade80bc83204d10e4c7cf2f957.exe	154
PID 1260 wrote to memory of 4632	1260	11f790ade80bc83204d10e4c7cf2f957.exe	156
PID 1260 wrote to memory of 4632	1260	11f790ade80bc83204d10e4c7cf2f957.exe	156
PID 1260 wrote to memory of 4204	1260	11f790ade80bc83204d10e4c7cf2f957.exe	168
PID 1260 wrote to memory of 4204	1260	11f790ade80bc83204d10e4c7cf2f957.exe	168
PID 1260 wrote to memory of 4232	1260	11f790ade80bc83204d10e4c7cf2f957.exe	157
PID 1260 wrote to memory of 4232	1260	11f790ade80bc83204d10e4c7cf2f957.exe	157
PID 1260 wrote to memory of 3836	1260	11f790ade80bc83204d10e4c7cf2f957.exe	159
PID 1260 wrote to memory of 3836	1260	11f790ade80bc83204d10e4c7cf2f957.exe	159
PID 1260 wrote to memory of 2068	1260	11f790ade80bc83204d10e4c7cf2f957.exe	161
PID 1260 wrote to memory of 2068	1260	11f790ade80bc83204d10e4c7cf2f957.exe	161
PID 1260 wrote to memory of 4720	1260	11f790ade80bc83204d10e4c7cf2f957.exe	162
PID 1260 wrote to memory of 4720	1260	11f790ade80bc83204d10e4c7cf2f957.exe	162
PID 1260 wrote to memory of 3620	1260	11f790ade80bc83204d10e4c7cf2f957.exe	166
PID 1260 wrote to memory of 3620	1260	11f790ade80bc83204d10e4c7cf2f957.exe	166
PID 3620 wrote to memory of 5628	3620	cmd.exe	176
PID 3620 wrote to memory of 5628	3620	cmd.exe	176
PID 3620 wrote to memory of 2464	3620	cmd.exe	179
PID 3620 wrote to memory of 2464	3620	cmd.exe	179

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	11f790ade80bc83204d10e4c7cf2f957.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe

C:\Users\Admin\AppData\Local\Temp\11f790ade80bc83204d10e4c7cf2f957.exe
"C:\Users\Admin\AppData\Local\Temp\11f790ade80bc83204d10e4c7cf2f957.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\11f790ade80bc83204d10e4c7cf2f957.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\explorer.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\RuntimeBroker.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\SppExtComObj.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\backgroundTaskHost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kcDIWAC5CG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5628
- - C:\odt\backgroundTaskHost.exe
    "C:\odt\backgroundTaskHost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre1.8.0_66\bin\OfficeClickToRun.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\smss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\SIGNUP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\bin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Temp\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c6c940df49fc678d1c74fea3c57a32f9

SHA1
79edd715358a82e6d29970998ff2e9b235ea4217

SHA256
4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

SHA512
3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcDIWAC5CG.bat

Filesize
194B

MD5
cd50fa1186f9e0761b213a83b92232a3

SHA1
4d953667a0c4f6aa16a357675b1a4947cfb158d0

SHA256
78ba2fb37b9dc8bfa7e3640506a6e578ce89f6b6b82b9295dedada50634285a8

SHA512
70ebe9e8f45883fc08331a17732ec1b437f58884fd3b2bbf408ad54d898905875dbc9bbd907668f4f951e8cd60ace39ea2a23c8abc52d055b5d2a37c7cf8d447

Download Submit
C:\odt\backgroundTaskHost.exe

Filesize
2.6MB

MD5
374cb1587aba15927696e488a52cb99b

SHA1
12683ccdf1d8d4513cc4573767de0cc7d0a4ce77

SHA256
85ff11cde28db81b8a89e21d7266866469ac5ccd5ff206be905b1565bb07f448

SHA512
76647b8ad2e845869505b928cf05b789cb21c761a70bd7d8d5e0bad540b4e44a584b8f24fe0cd8d957beb0259c5db7f8c6877338552f8efdbcc1f9e0e72d0fbc

Download Submit
C:\odt\backgroundTaskHost.exe

Filesize
2.6MB

MD5
374cb1587aba15927696e488a52cb99b

SHA1
12683ccdf1d8d4513cc4573767de0cc7d0a4ce77

SHA256
85ff11cde28db81b8a89e21d7266866469ac5ccd5ff206be905b1565bb07f448

SHA512
76647b8ad2e845869505b928cf05b789cb21c761a70bd7d8d5e0bad540b4e44a584b8f24fe0cd8d957beb0259c5db7f8c6877338552f8efdbcc1f9e0e72d0fbc

Download Submit
memory/836-160-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/836-209-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/836-142-0x0000000000000000-mapping.dmp

Download
memory/952-150-0x0000000000000000-mapping.dmp

Download
memory/952-165-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/952-204-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1260-134-0x000000001D010000-0x000000001D538000-memory.dmp

Filesize
5.2MB

Download
memory/1260-139-0x000000001B2B9000-0x000000001B2BF000-memory.dmp

Filesize
24KB

Download
memory/1260-133-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1260-168-0x000000001DD40000-0x000000001DD44000-memory.dmp

Filesize
16KB

Download
memory/1260-135-0x000000001B2B9000-0x000000001B2BF000-memory.dmp

Filesize
24KB

Download
memory/1260-136-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1260-137-0x000000001DD40000-0x000000001DD44000-memory.dmp

Filesize
16KB

Download
memory/1260-170-0x000000001DD44000-0x000000001DD47000-memory.dmp

Filesize
12KB

Download
memory/1260-132-0x0000000000280000-0x0000000000524000-memory.dmp

Filesize
2.6MB

Download
memory/1260-166-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1260-167-0x000000001B2B9000-0x000000001B2BF000-memory.dmp

Filesize
24KB

Download
memory/1260-138-0x000000001DD44000-0x000000001DD47000-memory.dmp

Filesize
12KB

Download
memory/1544-205-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1544-149-0x0000000000000000-mapping.dmp

Download
memory/1544-176-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1640-143-0x0000000000000000-mapping.dmp

Download
memory/1764-164-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1764-203-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1764-148-0x0000000000000000-mapping.dmp

Download
memory/1828-153-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/1828-140-0x0000000000000000-mapping.dmp

Download
memory/1828-183-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/2068-172-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/2068-157-0x0000000000000000-mapping.dmp

Download
memory/2068-211-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/2272-201-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/2272-146-0x0000000000000000-mapping.dmp

Download
memory/2272-175-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/2392-210-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/2392-144-0x0000000000000000-mapping.dmp

Download
memory/2392-174-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/2464-225-0x000000001CD57000-0x000000001CD5A000-memory.dmp

Filesize
12KB

Download
memory/2464-218-0x000000001EFE0000-0x000000001F1A2000-memory.dmp

Filesize
1.8MB

Download
memory/2464-234-0x000000001CD57000-0x000000001CD63000-memory.dmp

Filesize
48KB

Download
memory/2464-228-0x000000001CD5F000-0x000000001CD64000-memory.dmp

Filesize
20KB

Download
memory/2464-224-0x000000001CD54000-0x000000001CD57000-memory.dmp

Filesize
12KB

Download
memory/2464-223-0x000000001CD50000-0x000000001CD54000-memory.dmp

Filesize
16KB

Download
memory/2464-222-0x000000001CD50000-0x000000001CD54000-memory.dmp

Filesize
16KB

Download
memory/2464-230-0x000000001CD5A000-0x000000001CD5F000-memory.dmp

Filesize
20KB

Download
memory/2464-221-0x000000001B999000-0x000000001B99F000-memory.dmp

Filesize
24KB

Download
memory/2464-227-0x000000001CD54000-0x000000001CD57000-memory.dmp

Filesize
12KB

Download
memory/2464-213-0x0000000000000000-mapping.dmp

Download
memory/2464-220-0x00007FFFC99B0000-0x00007FFFCA471000-memory.dmp

Filesize
10.8MB

Download
memory/2464-219-0x000000001B999000-0x000000001B99F000-memory.dmp

Filesize
24KB

Download
memory/2464-229-0x000000001CD57000-0x000000001CD5A000-memory.dmp

Filesize
12KB

Download
memory/2464-233-0x000000001CD64000-0x000000001CD75000-memory.dmp

Filesize
68KB

Download
memory/2464-217-0x00007FFFC99B0000-0x00007FFFCA471000-memory.dmp

Filesize
10.8MB

Download
memory/2464-226-0x000000001CD5A000-0x000000001CD5F000-memory.dmp

Filesize
20KB

Download
memory/2464-216-0x00000000007C0000-0x0000000000A64000-memory.dmp

Filesize
2.6MB

Download
memory/2464-231-0x000000001CD57000-0x000000001CD63000-memory.dmp

Filesize
48KB

Download
memory/2464-232-0x000000001CD59000-0x000000001CD63000-memory.dmp

Filesize
40KB

Download
memory/3380-141-0x0000000000000000-mapping.dmp

Download
memory/3380-184-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/3380-159-0x000001D733E30000-0x000001D733E52000-memory.dmp

Filesize
136KB

Download
memory/3380-155-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/3620-163-0x0000000000000000-mapping.dmp

Download
memory/3668-147-0x0000000000000000-mapping.dmp

Download
memory/3668-161-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/3668-199-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/3836-202-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/3836-171-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/3836-156-0x0000000000000000-mapping.dmp

Download
memory/4204-208-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/4204-178-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/4204-152-0x0000000000000000-mapping.dmp

Download
memory/4232-154-0x0000000000000000-mapping.dmp

Download
memory/4232-212-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/4232-179-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/4620-200-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/4620-145-0x0000000000000000-mapping.dmp

Download
memory/4620-162-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/4632-207-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/4632-151-0x0000000000000000-mapping.dmp

Download
memory/4632-169-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/4720-180-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/4720-158-0x0000000000000000-mapping.dmp

Download
memory/4720-206-0x00007FFFC9CB0000-0x00007FFFCA771000-memory.dmp

Filesize
10.8MB

Download
memory/5628-177-0x0000000000000000-mapping.dmp

Download