dcrat | 1c2e46d685fdf5ee89fe9193e0ff0bf6dc7088014c29fe51f31e4e5613876eb6

Analysis

max time kernel
55s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24e4452c2fa32b490d57b57c307b8c2d.exe
Size

2.6MB
MD5

24e4452c2fa32b490d57b57c307b8c2d
SHA1

99570080bedc40498310a7044a47110a38637721
SHA256

1c2e46d685fdf5ee89fe9193e0ff0bf6dc7088014c29fe51f31e4e5613876eb6
SHA512

5a911f3046f58d58f2bbf3343965d46fe7d913d8ebb30488016cf6ff60ee307d8c9bc339b91b18dfe9e9e74f6f94b04c0ade7c1165709bf83149cf1c337d3f13
SSDEEP

49152:+pTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:+ZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1036	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1504-54-0x00000000013D0000-0x0000000001674000-memory.dmp	dcrat
behavioral1/memory/2224-131-0x0000000000EB0000-0x0000000001154000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe	dcrat
C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe	dcrat

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ipinfo.io
7 ipinfo.io

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 35 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Portable Devices\981892e0c668f9	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX2B4A.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\lsass.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\VideoLAN\VLC\6ccacd8608530f	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Uninstall Information\lsass.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCX22D0.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX9A64.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Reference Assemblies\981892e0c668f9	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\explorer.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB632.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\Windows Sidebar\c5b4cb5e9653cc	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\VideoLAN\VLC\Idle.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX7EF3.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX826D.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\Windows Sidebar\services.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX96EA.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB2B8.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXCE19.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\24e4452c2fa32b490d57b57c307b8c2d.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\Windows Sidebar\services.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCX1F37.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX6A96.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Idle.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXCA8F.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Reference Assemblies\24e4452c2fa32b490d57b57c307b8c2d.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Uninstall Information\6203df4a6bafc7	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX671B.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\7a0fd90576e088	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX2EC4.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\explorer.exe	24e4452c2fa32b490d57b57c307b8c2d.exe

Drops file in Windows directory 11 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
File opened for modification	C:\Windows\debug\WIA\RCX529F.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\debug\WIA\services.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\RCXA2DE.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\RCXAA3E.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\Boot\DVD\PCAT\fr-FR\taskhost.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\PolicyDefinitions\de-DE\explorer.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\PolicyDefinitions\de-DE\7a0fd90576e088	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\debug\WIA\RCX4F25.tmp	24e4452c2fa32b490d57b57c307b8c2d.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\explorer.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\debug\WIA\services.exe	24e4452c2fa32b490d57b57c307b8c2d.exe
File created	C:\Windows\debug\WIA\c5b4cb5e9653cc	24e4452c2fa32b490d57b57c307b8c2d.exe

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2124	schtasks.exe
2248	schtasks.exe
292	schtasks.exe
1656	schtasks.exe
1620	schtasks.exe
1352	schtasks.exe
1676	schtasks.exe
1032	schtasks.exe
1056	schtasks.exe
1196	schtasks.exe
1288	schtasks.exe
1396	schtasks.exe
2032	schtasks.exe
428	schtasks.exe
1088	schtasks.exe
1940	schtasks.exe
1552	schtasks.exe
1052	schtasks.exe
1948	schtasks.exe
2000	schtasks.exe
696	schtasks.exe
2108	schtasks.exe
2200	schtasks.exe
556	schtasks.exe
1896	schtasks.exe
580	schtasks.exe
2080	schtasks.exe
816	schtasks.exe
1256	schtasks.exe
1332	schtasks.exe
2012	schtasks.exe
1620	schtasks.exe
2224	schtasks.exe
516	schtasks.exe
1040	schtasks.exe
1724	schtasks.exe
1308	schtasks.exe
2172	schtasks.exe
2268	schtasks.exe
1360	schtasks.exe
1080	schtasks.exe
1044	schtasks.exe
1008	schtasks.exe
540	schtasks.exe
2152	schtasks.exe
852	schtasks.exe
1180	schtasks.exe
1648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe

pid	process
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe
1504	24e4452c2fa32b490d57b57c307b8c2d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe

description pid process

Token: SeDebugPrivilege 1504 24e4452c2fa32b490d57b57c307b8c2d.exe

description	pid	process
Token: SeDebugPrivilege	1504	24e4452c2fa32b490d57b57c307b8c2d.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe

description	pid	process	target process
PID 1504 wrote to memory of 2408	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2408	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2408	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2420	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2420	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2420	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2440	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2440	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2440	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2460	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2460	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2460	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2488	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2488	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2488	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2520	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2520	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2520	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2544	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2544	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe
PID 1504 wrote to memory of 2544	1504	24e4452c2fa32b490d57b57c307b8c2d.exe	powershell.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

24e4452c2fa32b490d57b57c307b8c2d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	24e4452c2fa32b490d57b57c307b8c2d.exe

C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe
"C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\24e4452c2fa32b490d57b57c307b8c2d.exe'
2⤵
PID:2408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\24e4452c2fa32b490d57b57c307b8c2d.exe'
2⤵
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\services.exe'
2⤵
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\sppsvc.exe'
2⤵
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
2⤵
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'
2⤵
PID:2544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\services.exe'
2⤵
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\24e4452c2fa32b490d57b57c307b8c2d.exe'
2⤵
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsass.exe'
2⤵
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\explorer.exe'
2⤵
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe'
2⤵
PID:2964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'
2⤵
PID:3028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'
2⤵
PID:3052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\smss.exe'
2⤵
PID:2096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8sG8rlmD33.bat"
2⤵
PID:1456

C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe
"C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe"
3⤵
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\explorer.exe'
2⤵
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\wininit.exe'
2⤵
PID:2648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\Idle.exe'
2⤵
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d2" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\24e4452c2fa32b490d57b57c307b8c2d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\24e4452c2fa32b490d57b57c307b8c2d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d2" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\24e4452c2fa32b490d57b57c307b8c2d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\WIA\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\debug\WIA\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d2" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\24e4452c2fa32b490d57b57c307b8c2d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\24e4452c2fa32b490d57b57c307b8c2d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d2" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\24e4452c2fa32b490d57b57c307b8c2d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d2" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "24e4452c2fa32b490d57b57c307b8c2d2" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe
Filesize
2.6MB

MD5
1b32b90cbfd3aa089c9c4d3888d3cad2

SHA1
4aadff38c600c27f9b53879446ace843b9a2fe1c

SHA256
a571846681481d1e9882990b3f1b94feb58d7ccb51a8e86be771df3121767016

SHA512
c150f33591c020b4145a00ede8b8bf09cbbdc439d605001f117a8366d3659dc2b48f027588acc6358b5555ff205ad678b8f4f619bcfcc8e0733a60ab8a10663a

Download Submit
C:\Program Files (x86)\Windows Portable Devices\24e4452c2fa32b490d57b57c307b8c2d.exe
Filesize
2.6MB

MD5
1b32b90cbfd3aa089c9c4d3888d3cad2

SHA1
4aadff38c600c27f9b53879446ace843b9a2fe1c

SHA256
a571846681481d1e9882990b3f1b94feb58d7ccb51a8e86be771df3121767016

SHA512
c150f33591c020b4145a00ede8b8bf09cbbdc439d605001f117a8366d3659dc2b48f027588acc6358b5555ff205ad678b8f4f619bcfcc8e0733a60ab8a10663a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8sG8rlmD33.bat
Filesize
249B

MD5
e272e64b93bca8f327a408f05123e264

SHA1
cf2b899936cda9560ece5e7bd9951e3e1533a5f0

SHA256
65c6bfe7e15dad23dee1a6ff38f419150f4dbbc2a162da8593618b78ad578d34

SHA512
eaf8a7a3d01b0d7a3a363439df45ebd405bf4f2d5be994714be00c692f1defef61892e7176070a4778b832d8e75beca6c8b8c463673b814c95c86db029b247cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ad15bc0d1fadd100179b389806ac1f1d

SHA1
e0ffcaaa5f931c08877d45dc8ab852192e0b6119

SHA256
cc4a8e714a18e3ab7e006e475528687ad5304c5fe21f1a043506505c89c760e1

SHA512
e6782d57b51b1b37c8f0c299426ae418b43f61b54a328f4b205a9f0adbe28ae1611969c8ca4be3963bec794e2477b1d8b5bebf18a39a0a35013e03b67ec8b9a7

Download Submit
memory/1456-120-0x0000000000000000-mapping.dmp

Download
memory/1504-71-0x00000000013C0000-0x00000000013C8000-memory.dmp

Filesize
32KB

Download
memory/1504-60-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/1504-72-0x000000001AD60000-0x000000001AD6C000-memory.dmp

Filesize
48KB

Download
memory/1504-73-0x000000001B376000-0x000000001B395000-memory.dmp

Filesize
124KB

Download
memory/1504-74-0x000000001B376000-0x000000001B395000-memory.dmp

Filesize
124KB

Download
memory/1504-54-0x00000000013D0000-0x0000000001674000-memory.dmp

Filesize
2.6MB

Download
memory/1504-55-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/1504-56-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1504-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1504-58-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/1504-59-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/1504-69-0x000000001AD50000-0x000000001AD58000-memory.dmp

Filesize
32KB

Download
memory/1504-70-0x00000000013B0000-0x00000000013BE000-memory.dmp

Filesize
56KB

Download
memory/1504-68-0x00000000011C0000-0x00000000011CC000-memory.dmp

Filesize
48KB

Download
memory/1504-67-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/1504-61-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/1504-127-0x000000001B376000-0x000000001B395000-memory.dmp

Filesize
124KB

Download
memory/1504-66-0x0000000000AF0000-0x0000000000B02000-memory.dmp

Filesize
72KB

Download
memory/1504-65-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/1504-64-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download
memory/1504-62-0x0000000000A80000-0x0000000000AD6000-memory.dmp

Filesize
344KB

Download
memory/1504-63-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/1808-126-0x0000000000000000-mapping.dmp

Download
memory/2096-113-0x0000000000000000-mapping.dmp

Download
memory/2224-128-0x0000000000000000-mapping.dmp

Download
memory/2224-132-0x000000001B236000-0x000000001B255000-memory.dmp

Filesize
124KB

Download
memory/2224-161-0x000000001B236000-0x000000001B255000-memory.dmp

Filesize
124KB

Download
memory/2224-131-0x0000000000EB0000-0x0000000001154000-memory.dmp

Filesize
2.6MB

Download
memory/2408-159-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/2408-192-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/2408-145-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2408-92-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2408-194-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/2408-138-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/2408-170-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/2408-75-0x0000000000000000-mapping.dmp

Download
memory/2420-134-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2420-89-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2420-80-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

Filesize
8KB

Download
memory/2420-189-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/2420-136-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/2420-169-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/2420-160-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/2420-191-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/2420-76-0x0000000000000000-mapping.dmp

Download
memory/2440-167-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/2440-90-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2440-135-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/2440-77-0x0000000000000000-mapping.dmp

Download
memory/2440-199-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/2440-200-0x000000000274B000-0x000000000276A000-memory.dmp

Filesize
124KB

Download
memory/2440-133-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2440-162-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/2460-137-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2460-197-0x00000000024BB000-0x00000000024DA000-memory.dmp

Filesize
124KB

Download
memory/2460-176-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/2460-177-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/2460-163-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2460-78-0x0000000000000000-mapping.dmp

Download
memory/2460-140-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/2460-198-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/2488-79-0x0000000000000000-mapping.dmp

Download
memory/2488-188-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/2488-143-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/2488-179-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/2488-204-0x0000000002284000-0x0000000002287000-memory.dmp

Filesize
12KB

Download
memory/2488-142-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2488-165-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2488-202-0x000000000228B000-0x00000000022AA000-memory.dmp

Filesize
124KB

Download
memory/2520-146-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2520-151-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/2520-81-0x0000000000000000-mapping.dmp

Download
memory/2520-181-0x0000000002904000-0x0000000002907000-memory.dmp

Filesize
12KB

Download
memory/2520-166-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2544-186-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/2544-83-0x0000000000000000-mapping.dmp

Download
memory/2544-157-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/2544-153-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2544-172-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2612-178-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/2612-195-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/2612-85-0x0000000000000000-mapping.dmp

Download
memory/2612-182-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/2612-193-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/2612-141-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/2612-190-0x000000000287B000-0x000000000289A000-memory.dmp

Filesize
124KB

Download
memory/2612-164-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2612-139-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2648-187-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/2648-88-0x0000000000000000-mapping.dmp

Download
memory/2648-203-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/2648-173-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2648-149-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2648-158-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/2720-147-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2720-175-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2720-94-0x0000000000000000-mapping.dmp

Download
memory/2720-154-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/2720-183-0x0000000002694000-0x0000000002697000-memory.dmp

Filesize
12KB

Download
memory/2776-156-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2776-185-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/2776-168-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2776-205-0x000000001B900000-0x000000001BBFF000-memory.dmp

Filesize
3.0MB

Download
memory/2776-98-0x0000000000000000-mapping.dmp

Download
memory/2776-152-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2840-210-0x000000001B9A0000-0x000000001BC9F000-memory.dmp

Filesize
3.0MB

Download
memory/2840-174-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2840-100-0x0000000000000000-mapping.dmp

Download
memory/2840-144-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2840-180-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2840-148-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2892-171-0x000007FEE97D0000-0x000007FEEA32D000-memory.dmp

Filesize
11.4MB

Download
memory/2892-150-0x000007FEEB300000-0x000007FEEBD23000-memory.dmp

Filesize
10.1MB

Download
memory/2892-155-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/2892-103-0x0000000000000000-mapping.dmp

Download
memory/2892-184-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/2964-107-0x0000000000000000-mapping.dmp

Download
memory/3028-109-0x0000000000000000-mapping.dmp

Download
memory/3052-110-0x0000000000000000-mapping.dmp

Download