dcrat | 4faa19632922332b8aedd25006c9c3349bcb9f2bf24bf116857258a7769efbf0

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06cb1bb9f65f954677aa5e66cfecad10.exe
Size

4.9MB
MD5

06cb1bb9f65f954677aa5e66cfecad10
SHA1

7226decd411a371d2727b8b6742f578425b0a7c2
SHA256

4faa19632922332b8aedd25006c9c3349bcb9f2bf24bf116857258a7769efbf0
SHA512

ea81cca73a9abad99666e974ae73b9cc38d19fa666b0914d518dee731eab4ed2ed3b7797f453db2f0f22ce6cdc2866591ac0cc56aa01d7530b29e30da8cc098b
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1444	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1000-55-0x000000001B470000-0x000000001B59E000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

2848 explorer.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2848	explorer.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ipinfo.io
8 ipinfo.io

flow	ioc
7	ipinfo.io
8	ipinfo.io

Drops file in Program Files directory 24 IoCs

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\6203df4a6bafc7	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RCX86D9.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\Idle.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCX8EE5.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files (x86)\Adobe\smss.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\7a0fd90576e088	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX7ECD.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\smss.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\lsass.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files (x86)\Adobe\smss.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files (x86)\Adobe\69ddcba757bf72	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\RCX5D64.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\de-DE\lsass.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\27d1bcfc3c54e0	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files\DVD Maker\ja-JP\Idle.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files\DVD Maker\ja-JP\6ccacd8608530f	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\smss.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\69ddcba757bf72	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX6561.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\RCXBA00.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe

Drops file in Windows directory 20 IoCs

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exe

description	ioc	process
File created	C:\Windows\Registration\CRMLog\explorer.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\SchCache\27d1bcfc3c54e0	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\Registration\CRMLog\explorer.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\tracing\WMIADAP.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\addins\winlogon.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\twain_32\services.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\Registration\CRMLog\7a0fd90576e088	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\tracing\WMIADAP.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\addins\winlogon.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\addins\cc11b995f2a76d	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\twain_32\RCX3556.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\tracing\RCX6EC4.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\SchCache\RCX76D0.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\addins\RCX96E2.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\twain_32\c5b4cb5e9653cc	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\tracing\75a57c1bdf437c	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\SchCache\System.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File created	C:\Windows\twain_32\services.exe	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX456E.tmp	06cb1bb9f65f954677aa5e66cfecad10.exe
File opened for modification	C:\Windows\SchCache\System.exe	06cb1bb9f65f954677aa5e66cfecad10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1752	schtasks.exe
1704	schtasks.exe
1912	schtasks.exe
1656	schtasks.exe
1296	schtasks.exe
916	schtasks.exe
1608	schtasks.exe
1096	schtasks.exe
2064	schtasks.exe
536	schtasks.exe
2044	schtasks.exe
936	schtasks.exe
1744	schtasks.exe
1528	schtasks.exe
1160	schtasks.exe
1704	schtasks.exe
1032	schtasks.exe
1904	schtasks.exe
108	schtasks.exe
1696	schtasks.exe
580	schtasks.exe
1028	schtasks.exe
1616	schtasks.exe
1380	schtasks.exe
2040	schtasks.exe
1748	schtasks.exe
332	schtasks.exe
1652	schtasks.exe
1216	schtasks.exe
1944	schtasks.exe
972	schtasks.exe
304	schtasks.exe
1408	schtasks.exe
344	schtasks.exe
2088	schtasks.exe
764	schtasks.exe
2028	schtasks.exe
1596	schtasks.exe
964	schtasks.exe
1480	schtasks.exe
544	schtasks.exe
2032	schtasks.exe
1844	schtasks.exe
1996	schtasks.exe
1480	schtasks.exe
1796	schtasks.exe
984	schtasks.exe
1720	schtasks.exe
1940	schtasks.exe
1328	schtasks.exe
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exeexplorer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1000	06cb1bb9f65f954677aa5e66cfecad10.exe
1000	06cb1bb9f65f954677aa5e66cfecad10.exe
1000	06cb1bb9f65f954677aa5e66cfecad10.exe
2848	explorer.exe
2308	powershell.exe
2504	powershell.exe
2188	powershell.exe
2268	powershell.exe
2156	powershell.exe
2240	powershell.exe
2216	powershell.exe
2448	powershell.exe
2356	powershell.exe
2564	powershell.exe
2408	powershell.exe
2168	powershell.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe
2848	explorer.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1000	06cb1bb9f65f954677aa5e66cfecad10.exe
Token: SeDebugPrivilege	2848	explorer.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

2848 explorer.exe

pid	process
2848	explorer.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exeexplorer.exe

description	pid	process	target process
PID 1000 wrote to memory of 2156	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2156	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2156	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2168	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2168	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2168	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2188	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2188	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2188	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2216	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2216	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2216	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2240	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2240	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2240	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2268	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2268	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2268	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2308	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2308	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2308	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2356	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2356	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2356	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2408	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2408	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2408	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2448	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2448	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2448	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2504	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2504	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2504	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2564	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2564	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2564	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	powershell.exe
PID 1000 wrote to memory of 2848	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	explorer.exe
PID 1000 wrote to memory of 2848	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	explorer.exe
PID 1000 wrote to memory of 2848	1000	06cb1bb9f65f954677aa5e66cfecad10.exe	explorer.exe
PID 2848 wrote to memory of 2144	2848	explorer.exe	WScript.exe
PID 2848 wrote to memory of 2144	2848	explorer.exe	WScript.exe
PID 2848 wrote to memory of 2144	2848	explorer.exe	WScript.exe
PID 2848 wrote to memory of 2476	2848	explorer.exe	WScript.exe
PID 2848 wrote to memory of 2476	2848	explorer.exe	WScript.exe
PID 2848 wrote to memory of 2476	2848	explorer.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

06cb1bb9f65f954677aa5e66cfecad10.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	06cb1bb9f65f954677aa5e66cfecad10.exe

C:\Users\Admin\AppData\Local\Temp\06cb1bb9f65f954677aa5e66cfecad10.exe
"C:\Users\Admin\AppData\Local\Temp\06cb1bb9f65f954677aa5e66cfecad10.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe
"C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2848

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d55af52-45aa-47af-85c8-56680f45e36b.vbs"
3⤵
PID:2144

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ac61b8a-5faf-4f76-99e2-4d046d753c8b.vbs"
3⤵
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\twain_32\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Hearts\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Hearts\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\tracing\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SchCache\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\addins\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Updater6\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Updater6\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe
Filesize
4.9MB

MD5
8da731dc498c8af0a1cbedcdfccd4cef

SHA1
e0138124e604d95b4af615f518e880ceecc49219

SHA256
bbea593fc8f5db3d76db0ada2dc7e77ecff5056d45f42137a4f8b156382d5796

SHA512
ad9b907ee53dc776f97c10f32aea86487778a78aea371241d10954c404733e4d8e7096fa558a124987d10d9e4293945a1c2664809212613b4c885cf8df236b8d

Download Submit
C:\Program Files (x86)\Windows Defender\de-DE\explorer.exe
Filesize
4.9MB

MD5
8da731dc498c8af0a1cbedcdfccd4cef

SHA1
e0138124e604d95b4af615f518e880ceecc49219

SHA256
bbea593fc8f5db3d76db0ada2dc7e77ecff5056d45f42137a4f8b156382d5796

SHA512
ad9b907ee53dc776f97c10f32aea86487778a78aea371241d10954c404733e4d8e7096fa558a124987d10d9e4293945a1c2664809212613b4c885cf8df236b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d55af52-45aa-47af-85c8-56680f45e36b.vbs
Filesize
734B

MD5
cb0e5caa68f0efa1df5716418de446c6

SHA1
9fa589269f6bd816e4ef1cd8487173421dea611d

SHA256
7272152ebeffdade8882277951d713c64ef1397088f6f04c8a228184d2cbdf7f

SHA512
6e502319287f7c8d882162b7057296c3611813f6bf3c2b48140932aa301f0e1e941263415fc2d456fa97e05bf63b9fb4ed13382374953e47132e82a0d51a3ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ac61b8a-5faf-4f76-99e2-4d046d753c8b.vbs
Filesize
510B

MD5
7301c17ee342f83a9ba31d39c8000d05

SHA1
97ebdb1406fc6ee8004a13357f9ad05b6631f1cd

SHA256
51294664936d639cd6e350ca2b1db1f166162ed53430a24458c9d991500adf11

SHA512
41661857cb7ebda55f017e34ca00ec977f3896349f0da52c546ce3cf0c6b8354ce4665b48930b7ae9f4f59e7a0ec41d03c8499ed13b8f0eebe8a97a5e73eb475

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e044b0f30b5fe0f822005922adc7179

SHA1
d27f4341b786513b4d752d9e123bd3936701d0ee

SHA256
f21e70fa6691b83d293416dc4e8b29f9bbbe447909cf8981e7b68b77498fb843

SHA512
7a31192eb06775c8224e64d70df8f49697b88884dee0d885fc2b0f7ee25d49460cb6abfd7fd71f8e8879e047d73243620365b4a9b8775eb5c5629305011a01a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e044b0f30b5fe0f822005922adc7179

SHA1
d27f4341b786513b4d752d9e123bd3936701d0ee

SHA256
f21e70fa6691b83d293416dc4e8b29f9bbbe447909cf8981e7b68b77498fb843

SHA512
7a31192eb06775c8224e64d70df8f49697b88884dee0d885fc2b0f7ee25d49460cb6abfd7fd71f8e8879e047d73243620365b4a9b8775eb5c5629305011a01a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e044b0f30b5fe0f822005922adc7179

SHA1
d27f4341b786513b4d752d9e123bd3936701d0ee

SHA256
f21e70fa6691b83d293416dc4e8b29f9bbbe447909cf8981e7b68b77498fb843

SHA512
7a31192eb06775c8224e64d70df8f49697b88884dee0d885fc2b0f7ee25d49460cb6abfd7fd71f8e8879e047d73243620365b4a9b8775eb5c5629305011a01a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e044b0f30b5fe0f822005922adc7179

SHA1
d27f4341b786513b4d752d9e123bd3936701d0ee

SHA256
f21e70fa6691b83d293416dc4e8b29f9bbbe447909cf8981e7b68b77498fb843

SHA512
7a31192eb06775c8224e64d70df8f49697b88884dee0d885fc2b0f7ee25d49460cb6abfd7fd71f8e8879e047d73243620365b4a9b8775eb5c5629305011a01a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e044b0f30b5fe0f822005922adc7179

SHA1
d27f4341b786513b4d752d9e123bd3936701d0ee

SHA256
f21e70fa6691b83d293416dc4e8b29f9bbbe447909cf8981e7b68b77498fb843

SHA512
7a31192eb06775c8224e64d70df8f49697b88884dee0d885fc2b0f7ee25d49460cb6abfd7fd71f8e8879e047d73243620365b4a9b8775eb5c5629305011a01a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e044b0f30b5fe0f822005922adc7179

SHA1
d27f4341b786513b4d752d9e123bd3936701d0ee

SHA256
f21e70fa6691b83d293416dc4e8b29f9bbbe447909cf8981e7b68b77498fb843

SHA512
7a31192eb06775c8224e64d70df8f49697b88884dee0d885fc2b0f7ee25d49460cb6abfd7fd71f8e8879e047d73243620365b4a9b8775eb5c5629305011a01a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e044b0f30b5fe0f822005922adc7179

SHA1
d27f4341b786513b4d752d9e123bd3936701d0ee

SHA256
f21e70fa6691b83d293416dc4e8b29f9bbbe447909cf8981e7b68b77498fb843

SHA512
7a31192eb06775c8224e64d70df8f49697b88884dee0d885fc2b0f7ee25d49460cb6abfd7fd71f8e8879e047d73243620365b4a9b8775eb5c5629305011a01a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e044b0f30b5fe0f822005922adc7179

SHA1
d27f4341b786513b4d752d9e123bd3936701d0ee

SHA256
f21e70fa6691b83d293416dc4e8b29f9bbbe447909cf8981e7b68b77498fb843

SHA512
7a31192eb06775c8224e64d70df8f49697b88884dee0d885fc2b0f7ee25d49460cb6abfd7fd71f8e8879e047d73243620365b4a9b8775eb5c5629305011a01a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9e044b0f30b5fe0f822005922adc7179

SHA1
d27f4341b786513b4d752d9e123bd3936701d0ee

SHA256
f21e70fa6691b83d293416dc4e8b29f9bbbe447909cf8981e7b68b77498fb843

SHA512
7a31192eb06775c8224e64d70df8f49697b88884dee0d885fc2b0f7ee25d49460cb6abfd7fd71f8e8879e047d73243620365b4a9b8775eb5c5629305011a01a1

Download Submit
memory/1000-67-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/1000-59-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/1000-54-0x0000000000AD0000-0x0000000000FC4000-memory.dmp

Filesize
5.0MB

Download
memory/1000-55-0x000000001B470000-0x000000001B59E000-memory.dmp

Filesize
1.2MB

Download
memory/1000-56-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/1000-57-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1000-58-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/1000-66-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/1000-68-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/1000-60-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/1000-61-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/1000-65-0x0000000000960000-0x000000000096E000-memory.dmp

Filesize
56KB

Download
memory/1000-62-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1000-63-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/1000-64-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/2144-183-0x0000000000000000-mapping.dmp

Download
memory/2156-154-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2156-80-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2156-69-0x0000000000000000-mapping.dmp

Download
memory/2156-134-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2156-144-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/2156-156-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2156-74-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/2156-131-0x00000000023F0000-0x0000000002470000-memory.dmp

Filesize
512KB

Download
memory/2168-190-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2168-139-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2168-70-0x0000000000000000-mapping.dmp

Download
memory/2168-159-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2168-133-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2168-84-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2168-178-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/2168-171-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/2188-143-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2188-71-0x0000000000000000-mapping.dmp

Download
memory/2188-142-0x000000001B8E0000-0x000000001BBDF000-memory.dmp

Filesize
3.0MB

Download
memory/2188-118-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2188-155-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/2188-122-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2188-166-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/2188-165-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/2188-108-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2216-132-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/2216-167-0x000000001B9F0000-0x000000001BCEF000-memory.dmp

Filesize
3.0MB

Download
memory/2216-72-0x0000000000000000-mapping.dmp

Download
memory/2216-137-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2216-158-0x0000000002954000-0x0000000002957000-memory.dmp

Filesize
12KB

Download
memory/2216-176-0x000000000295B000-0x000000000297A000-memory.dmp

Filesize
124KB

Download
memory/2216-115-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2240-149-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/2240-135-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2240-126-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/2240-175-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/2240-161-0x000000001B910000-0x000000001BC0F000-memory.dmp

Filesize
3.0MB

Download
memory/2240-73-0x0000000000000000-mapping.dmp

Download
memory/2240-185-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/2240-184-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/2240-110-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2268-163-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2268-157-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/2268-147-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2268-76-0x0000000000000000-mapping.dmp

Download
memory/2268-120-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2268-111-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2268-124-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2268-164-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/2268-145-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/2308-121-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2308-125-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/2308-77-0x0000000000000000-mapping.dmp

Download
memory/2308-148-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/2308-113-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2308-173-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/2308-160-0x000000001B8B0000-0x000000001BBAF000-memory.dmp

Filesize
3.0MB

Download
memory/2308-179-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/2308-180-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/2356-138-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2356-128-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/2356-169-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/2356-79-0x0000000000000000-mapping.dmp

Download
memory/2356-187-0x000000000283B000-0x000000000285A000-memory.dmp

Filesize
124KB

Download
memory/2356-151-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/2356-114-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2408-129-0x0000000002314000-0x0000000002317000-memory.dmp

Filesize
12KB

Download
memory/2408-141-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2408-83-0x0000000000000000-mapping.dmp

Download
memory/2408-188-0x000000000231B000-0x000000000233A000-memory.dmp

Filesize
124KB

Download
memory/2408-170-0x000000001B990000-0x000000001BC8F000-memory.dmp

Filesize
3.0MB

Download
memory/2408-116-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2408-152-0x0000000002314000-0x0000000002317000-memory.dmp

Filesize
12KB

Download
memory/2448-109-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2448-136-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2448-85-0x0000000000000000-mapping.dmp

Download
memory/2448-186-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/2448-189-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2448-127-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2448-150-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/2476-200-0x0000000000000000-mapping.dmp

Download
memory/2504-146-0x0000000002334000-0x0000000002337000-memory.dmp

Filesize
12KB

Download
memory/2504-162-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/2504-123-0x0000000002334000-0x0000000002337000-memory.dmp

Filesize
12KB

Download
memory/2504-174-0x000000000233B000-0x000000000235A000-memory.dmp

Filesize
124KB

Download
memory/2504-112-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2504-181-0x0000000002334000-0x0000000002337000-memory.dmp

Filesize
12KB

Download
memory/2504-182-0x000000000233B000-0x000000000235A000-memory.dmp

Filesize
124KB

Download
memory/2504-119-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2504-90-0x0000000000000000-mapping.dmp

Download
memory/2564-117-0x000007FEEB220000-0x000007FEEBC43000-memory.dmp

Filesize
10.1MB

Download
memory/2564-168-0x000000001BAD0000-0x000000001BDCF000-memory.dmp

Filesize
3.0MB

Download
memory/2564-140-0x000007FEEDC80000-0x000007FEEE7DD000-memory.dmp

Filesize
11.4MB

Download
memory/2564-177-0x0000000001F1B000-0x0000000001F3A000-memory.dmp

Filesize
124KB

Download
memory/2564-153-0x0000000001F14000-0x0000000001F17000-memory.dmp

Filesize
12KB

Download
memory/2564-91-0x0000000000000000-mapping.dmp

Download
memory/2564-130-0x0000000001F14000-0x0000000001F17000-memory.dmp

Filesize
12KB

Download
memory/2848-104-0x0000000000000000-mapping.dmp

Download
memory/2848-107-0x00000000009C0000-0x0000000000EB4000-memory.dmp

Filesize
5.0MB

Download