dcrat | 08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a58202c976291d628df312bcd090e5e.exe
Size

1.1MB
MD5

0a58202c976291d628df312bcd090e5e
SHA1

d8b5759fde291c74e38a405c1dcc1f6cfa22fa63
SHA256

08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7
SHA512

e98f581fa1e22538dd4b271480319f6d9fe7ef7544f9d5b508d18c202329f0d63805a3fe476d97d249b370f7ea3e4353de2d2099b64c5a707af229c86cf512fd
SSDEEP

12288:El+4Tcyct/JWT7yckBlepmbMsBXYHOWyAh5+djVyKDGpiRe7FaS+ug82qGeJ3btU:Zyc5JWackYm7dZ1Oq2nn2qPJ3btV3+f

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1576	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1576	schtasks.exe	28

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a58202c976291d628df312bcd090e5e.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1668-0-0x0000000000CF0000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/files/0x0007000000015c86-17.dat	dcrat
behavioral1/files/0x0005000000019336-82.dat	dcrat
behavioral1/files/0x0007000000015cb1-126.dat	dcrat
behavioral1/memory/1668-155-0x000000001B410000-0x000000001B490000-memory.dmp	dcrat
behavioral1/files/0x000f000000015d04-188.dat	dcrat
behavioral1/files/0x0007000000015cb1-356.dat	dcrat
behavioral1/files/0x0007000000015cb1-355.dat	dcrat
behavioral1/memory/1260-357-0x0000000000AF0000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/1260-372-0x000000001AF30000-0x000000001AFB0000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1260	0a58202c976291d628df312bcd090e5e.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a58202c976291d628df312bcd090e5e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a58202c976291d628df312bcd090e5e.exe

Drops file in Program Files directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\es-ES\RCX8A89.tmp	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\Microsoft Office\Idle.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\DVD Maker\fr-FR\0a58202c976291d628df312bcd090e5e.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCX6C95.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX83EF.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX6A80.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\RCX8A8A.tmp	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\DVD Maker\fr-FR\936ce0a08db208	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\886983d96e3d3e	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX686D.tmp	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\Microsoft Office\6ccacd8608530f	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCX7821.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX83DE.tmp	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\smss.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\DVD Maker\es-ES\5940a34987c991	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\smss.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\dllhost.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\MSBuild\101b941d020240	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6ccacd8608530f	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\MSBuild\lsm.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX7C59.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX8807.tmp	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\27d1bcfc3c54e0	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\DVD Maker\es-ES\dllhost.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX6A91.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\RCX7A45.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX8808.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\69ddcba757bf72	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\886983d96e3d3e	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX7CD7.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCX6CA5.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\0a58202c976291d628df312bcd090e5e.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCX7832.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\RCX7A46.tmp	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\MSBuild\lsm.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX685C.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Program Files\Microsoft Office\Idle.exe	0a58202c976291d628df312bcd090e5e.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Speech\0a58202c976291d628df312bcd090e5e.exe	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Windows\Speech\936ce0a08db208	0a58202c976291d628df312bcd090e5e.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\fr-FR\sppsvc.exe	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Windows\Speech\RCX6F16.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Windows\Speech\RCX6F94.tmp	0a58202c976291d628df312bcd090e5e.exe
File opened for modification	C:\Windows\Speech\0a58202c976291d628df312bcd090e5e.exe	0a58202c976291d628df312bcd090e5e.exe

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2780	schtasks.exe
1948	schtasks.exe
1756	schtasks.exe
868	schtasks.exe
1952	schtasks.exe
3048	schtasks.exe
980	schtasks.exe
1608	schtasks.exe
1172	schtasks.exe
2108	schtasks.exe
2516	schtasks.exe
2536	schtasks.exe
1880	schtasks.exe
2396	schtasks.exe
2564	schtasks.exe
2732	schtasks.exe
1376	schtasks.exe
1060	schtasks.exe
2920	schtasks.exe
1804	schtasks.exe
2740	schtasks.exe
2072	schtasks.exe
2876	schtasks.exe
992	schtasks.exe
2604	schtasks.exe
1016	schtasks.exe
2164	schtasks.exe
2988	schtasks.exe
2640	schtasks.exe
2808	schtasks.exe
2664	schtasks.exe
1552	schtasks.exe
1940	schtasks.exe
2872	schtasks.exe
1028	schtasks.exe
1980	schtasks.exe
760	schtasks.exe
3064	schtasks.exe
1488	schtasks.exe
2064	schtasks.exe
2500	schtasks.exe
1616	schtasks.exe
2140	schtasks.exe
1624	schtasks.exe
2612	schtasks.exe
1092	schtasks.exe
1216	schtasks.exe
520	schtasks.exe
1988	schtasks.exe
2328	schtasks.exe
3068	schtasks.exe
1900	schtasks.exe
272	schtasks.exe
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1668	0a58202c976291d628df312bcd090e5e.exe
1668	0a58202c976291d628df312bcd090e5e.exe
1668	0a58202c976291d628df312bcd090e5e.exe
2356	powershell.exe
2196	powershell.exe
2680	powershell.exe
2180	powershell.exe
2808	powershell.exe
2044	powershell.exe
1608	powershell.exe
3024	powershell.exe
1988	powershell.exe
1548	powershell.exe
2712	powershell.exe
2148	powershell.exe
1260	0a58202c976291d628df312bcd090e5e.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	0a58202c976291d628df312bcd090e5e.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1260	0a58202c976291d628df312bcd090e5e.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2356	1668	0a58202c976291d628df312bcd090e5e.exe	83
PID 1668 wrote to memory of 2356	1668	0a58202c976291d628df312bcd090e5e.exe	83
PID 1668 wrote to memory of 2356	1668	0a58202c976291d628df312bcd090e5e.exe	83
PID 1668 wrote to memory of 2044	1668	0a58202c976291d628df312bcd090e5e.exe	93
PID 1668 wrote to memory of 2044	1668	0a58202c976291d628df312bcd090e5e.exe	93
PID 1668 wrote to memory of 2044	1668	0a58202c976291d628df312bcd090e5e.exe	93
PID 1668 wrote to memory of 2196	1668	0a58202c976291d628df312bcd090e5e.exe	85
PID 1668 wrote to memory of 2196	1668	0a58202c976291d628df312bcd090e5e.exe	85
PID 1668 wrote to memory of 2196	1668	0a58202c976291d628df312bcd090e5e.exe	85
PID 1668 wrote to memory of 2180	1668	0a58202c976291d628df312bcd090e5e.exe	87
PID 1668 wrote to memory of 2180	1668	0a58202c976291d628df312bcd090e5e.exe	87
PID 1668 wrote to memory of 2180	1668	0a58202c976291d628df312bcd090e5e.exe	87
PID 1668 wrote to memory of 2808	1668	0a58202c976291d628df312bcd090e5e.exe	88
PID 1668 wrote to memory of 2808	1668	0a58202c976291d628df312bcd090e5e.exe	88
PID 1668 wrote to memory of 2808	1668	0a58202c976291d628df312bcd090e5e.exe	88
PID 1668 wrote to memory of 2680	1668	0a58202c976291d628df312bcd090e5e.exe	91
PID 1668 wrote to memory of 2680	1668	0a58202c976291d628df312bcd090e5e.exe	91
PID 1668 wrote to memory of 2680	1668	0a58202c976291d628df312bcd090e5e.exe	91
PID 1668 wrote to memory of 2712	1668	0a58202c976291d628df312bcd090e5e.exe	92
PID 1668 wrote to memory of 2712	1668	0a58202c976291d628df312bcd090e5e.exe	92
PID 1668 wrote to memory of 2712	1668	0a58202c976291d628df312bcd090e5e.exe	92
PID 1668 wrote to memory of 2148	1668	0a58202c976291d628df312bcd090e5e.exe	94
PID 1668 wrote to memory of 2148	1668	0a58202c976291d628df312bcd090e5e.exe	94
PID 1668 wrote to memory of 2148	1668	0a58202c976291d628df312bcd090e5e.exe	94
PID 1668 wrote to memory of 3024	1668	0a58202c976291d628df312bcd090e5e.exe	96
PID 1668 wrote to memory of 3024	1668	0a58202c976291d628df312bcd090e5e.exe	96
PID 1668 wrote to memory of 3024	1668	0a58202c976291d628df312bcd090e5e.exe	96
PID 1668 wrote to memory of 1988	1668	0a58202c976291d628df312bcd090e5e.exe	98
PID 1668 wrote to memory of 1988	1668	0a58202c976291d628df312bcd090e5e.exe	98
PID 1668 wrote to memory of 1988	1668	0a58202c976291d628df312bcd090e5e.exe	98
PID 1668 wrote to memory of 1548	1668	0a58202c976291d628df312bcd090e5e.exe	99
PID 1668 wrote to memory of 1548	1668	0a58202c976291d628df312bcd090e5e.exe	99
PID 1668 wrote to memory of 1548	1668	0a58202c976291d628df312bcd090e5e.exe	99
PID 1668 wrote to memory of 1608	1668	0a58202c976291d628df312bcd090e5e.exe	100
PID 1668 wrote to memory of 1608	1668	0a58202c976291d628df312bcd090e5e.exe	100
PID 1668 wrote to memory of 1608	1668	0a58202c976291d628df312bcd090e5e.exe	100
PID 1668 wrote to memory of 1940	1668	0a58202c976291d628df312bcd090e5e.exe	107
PID 1668 wrote to memory of 1940	1668	0a58202c976291d628df312bcd090e5e.exe	107
PID 1668 wrote to memory of 1940	1668	0a58202c976291d628df312bcd090e5e.exe	107
PID 1940 wrote to memory of 3056	1940	cmd.exe	109
PID 1940 wrote to memory of 3056	1940	cmd.exe	109
PID 1940 wrote to memory of 3056	1940	cmd.exe	109
PID 1940 wrote to memory of 1260	1940	cmd.exe	110
PID 1940 wrote to memory of 1260	1940	cmd.exe	110
PID 1940 wrote to memory of 1260	1940	cmd.exe	110

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0a58202c976291d628df312bcd090e5e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0a58202c976291d628df312bcd090e5e.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0a58202c976291d628df312bcd090e5e.exe
"C:\Users\Admin\AppData\Local\Temp\0a58202c976291d628df312bcd090e5e.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u5MeZyGQdN.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3056
- - C:\Windows\Speech\0a58202c976291d628df312bcd090e5e.exe
    "C:\Windows\Speech\0a58202c976291d628df312bcd090e5e.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a58202c976291d628df312bcd090e5e0" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\fr-FR\0a58202c976291d628df312bcd090e5e.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a58202c976291d628df312bcd090e5e" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\0a58202c976291d628df312bcd090e5e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a58202c976291d628df312bcd090e5e0" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\fr-FR\0a58202c976291d628df312bcd090e5e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a58202c976291d628df312bcd090e5e0" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\0a58202c976291d628df312bcd090e5e.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a58202c976291d628df312bcd090e5e" /sc ONLOGON /tr "'C:\Windows\Speech\0a58202c976291d628df312bcd090e5e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0a58202c976291d628df312bcd090e5e0" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\0a58202c976291d628df312bcd090e5e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\es-ES\csrss.exe

Filesize
1.1MB

MD5
85ecde80064fb749360e4f40e063b8d6

SHA1
e0e44c4124f253926bc27412615bb8bf629e2178

SHA256
1fc43ccd80e35b47e295699c13c84715a54e0ca9622715f3d56a7e1d9191b175

SHA512
1692f28b47d092bbe688a23659b0bb6239af485c7698b9438a04fa6c43b6467771888e45221a9f8d0ffbf1962d73b499f25527f2db6368c2b40a006dc460e035

Download Submit
C:\Program Files\Microsoft Office\Idle.exe

Filesize
1.1MB

MD5
0a58202c976291d628df312bcd090e5e

SHA1
d8b5759fde291c74e38a405c1dcc1f6cfa22fa63

SHA256
08aa2d466ba6309aa9395b0a5ef0af543aed33270a65ed397401e35fa3ba7fe7

SHA512
e98f581fa1e22538dd4b271480319f6d9fe7ef7544f9d5b508d18c202329f0d63805a3fe476d97d249b370f7ea3e4353de2d2099b64c5a707af229c86cf512fd

Download Submit
C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\dllhost.exe

Filesize
1.1MB

MD5
05d232dd3996e8b03fc092de8edd0c77

SHA1
35ae9115bb3e9271784b1beda30bc560b091ead4

SHA256
8665f1abddf9edbd2bd50c7cc400b3ff07d02e0b340a9a4d8acd8ede31607839

SHA512
c27947dffc37963b3841382f95e3b53c78f70a2a2f4324323652c90882da96ee53d54604a6707c4762d9f2dba4ce9eb1e0dbb3de6e3ba5f40ae3f5046e84d482

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD7AB.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD82B.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\u5MeZyGQdN.bat

Filesize
219B

MD5
730cb6de98b007cbcf71c9dfc17bce34

SHA1
e9c804e4dae55437ce688a295b1b6606293afba2

SHA256
316bf07092dd5f47fa27d9977b06db2bb7e70c28d5f34979b351c096b75b9390

SHA512
b979fac97ae12617741569999d92831002d239a2ff17680185ac1857a5706d69868aea2d40668bb85d83515ddb07079269949c867997f50a2d58ac127e384d23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\32A9VMIZUCHO1SM39VH4.temp

Filesize
7KB

MD5
a8c290f6babc12ede427f5dc623efacd

SHA1
85a7ceb6e979a1959ae068effc9c08fdbcd489a9

SHA256
b22b7fba388e45e5fbe15ce79c9d37c59aaa7e148412fce5ee0091b7cd327924

SHA512
311034f1045eb07e426b4d59dc88e35efc3f775150cb5d9889ba532ab14d22e363e4f23b82ee9e29db749b7310db303fc09eee430a4dc5cdbe694cb32250c956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8c290f6babc12ede427f5dc623efacd

SHA1
85a7ceb6e979a1959ae068effc9c08fdbcd489a9

SHA256
b22b7fba388e45e5fbe15ce79c9d37c59aaa7e148412fce5ee0091b7cd327924

SHA512
311034f1045eb07e426b4d59dc88e35efc3f775150cb5d9889ba532ab14d22e363e4f23b82ee9e29db749b7310db303fc09eee430a4dc5cdbe694cb32250c956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8c290f6babc12ede427f5dc623efacd

SHA1
85a7ceb6e979a1959ae068effc9c08fdbcd489a9

SHA256
b22b7fba388e45e5fbe15ce79c9d37c59aaa7e148412fce5ee0091b7cd327924

SHA512
311034f1045eb07e426b4d59dc88e35efc3f775150cb5d9889ba532ab14d22e363e4f23b82ee9e29db749b7310db303fc09eee430a4dc5cdbe694cb32250c956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8c290f6babc12ede427f5dc623efacd

SHA1
85a7ceb6e979a1959ae068effc9c08fdbcd489a9

SHA256
b22b7fba388e45e5fbe15ce79c9d37c59aaa7e148412fce5ee0091b7cd327924

SHA512
311034f1045eb07e426b4d59dc88e35efc3f775150cb5d9889ba532ab14d22e363e4f23b82ee9e29db749b7310db303fc09eee430a4dc5cdbe694cb32250c956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8c290f6babc12ede427f5dc623efacd

SHA1
85a7ceb6e979a1959ae068effc9c08fdbcd489a9

SHA256
b22b7fba388e45e5fbe15ce79c9d37c59aaa7e148412fce5ee0091b7cd327924

SHA512
311034f1045eb07e426b4d59dc88e35efc3f775150cb5d9889ba532ab14d22e363e4f23b82ee9e29db749b7310db303fc09eee430a4dc5cdbe694cb32250c956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8c290f6babc12ede427f5dc623efacd

SHA1
85a7ceb6e979a1959ae068effc9c08fdbcd489a9

SHA256
b22b7fba388e45e5fbe15ce79c9d37c59aaa7e148412fce5ee0091b7cd327924

SHA512
311034f1045eb07e426b4d59dc88e35efc3f775150cb5d9889ba532ab14d22e363e4f23b82ee9e29db749b7310db303fc09eee430a4dc5cdbe694cb32250c956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8c290f6babc12ede427f5dc623efacd

SHA1
85a7ceb6e979a1959ae068effc9c08fdbcd489a9

SHA256
b22b7fba388e45e5fbe15ce79c9d37c59aaa7e148412fce5ee0091b7cd327924

SHA512
311034f1045eb07e426b4d59dc88e35efc3f775150cb5d9889ba532ab14d22e363e4f23b82ee9e29db749b7310db303fc09eee430a4dc5cdbe694cb32250c956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8c290f6babc12ede427f5dc623efacd

SHA1
85a7ceb6e979a1959ae068effc9c08fdbcd489a9

SHA256
b22b7fba388e45e5fbe15ce79c9d37c59aaa7e148412fce5ee0091b7cd327924

SHA512
311034f1045eb07e426b4d59dc88e35efc3f775150cb5d9889ba532ab14d22e363e4f23b82ee9e29db749b7310db303fc09eee430a4dc5cdbe694cb32250c956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8c290f6babc12ede427f5dc623efacd

SHA1
85a7ceb6e979a1959ae068effc9c08fdbcd489a9

SHA256
b22b7fba388e45e5fbe15ce79c9d37c59aaa7e148412fce5ee0091b7cd327924

SHA512
311034f1045eb07e426b4d59dc88e35efc3f775150cb5d9889ba532ab14d22e363e4f23b82ee9e29db749b7310db303fc09eee430a4dc5cdbe694cb32250c956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a8c290f6babc12ede427f5dc623efacd

SHA1
85a7ceb6e979a1959ae068effc9c08fdbcd489a9

SHA256
b22b7fba388e45e5fbe15ce79c9d37c59aaa7e148412fce5ee0091b7cd327924

SHA512
311034f1045eb07e426b4d59dc88e35efc3f775150cb5d9889ba532ab14d22e363e4f23b82ee9e29db749b7310db303fc09eee430a4dc5cdbe694cb32250c956

Download Submit
C:\Windows\Speech\0a58202c976291d628df312bcd090e5e.exe

Filesize
1.1MB

MD5
9db61e8d446063f0ead3f419b34d2dbb

SHA1
73422606ebc8ea94dc08d6855b93d22e1f5818f5

SHA256
3beb7522ce19fd067f84fd67398334e96028c078f117678e890e150189c6a1ff

SHA512
60a5925c91383e9fa602e83b3e4df1dcae050c8f80a3559a7431d02e2f888404acfc17edc72c1fb6a0efd05fd26b7a80c2191266360e934ef4d830b2d11a1cee

Download Submit
C:\Windows\Speech\0a58202c976291d628df312bcd090e5e.exe

Filesize
1.1MB

MD5
9db61e8d446063f0ead3f419b34d2dbb

SHA1
73422606ebc8ea94dc08d6855b93d22e1f5818f5

SHA256
3beb7522ce19fd067f84fd67398334e96028c078f117678e890e150189c6a1ff

SHA512
60a5925c91383e9fa602e83b3e4df1dcae050c8f80a3559a7431d02e2f888404acfc17edc72c1fb6a0efd05fd26b7a80c2191266360e934ef4d830b2d11a1cee

Download Submit
C:\Windows\Speech\0a58202c976291d628df312bcd090e5e.exe

Filesize
1.1MB

MD5
9db61e8d446063f0ead3f419b34d2dbb

SHA1
73422606ebc8ea94dc08d6855b93d22e1f5818f5

SHA256
3beb7522ce19fd067f84fd67398334e96028c078f117678e890e150189c6a1ff

SHA512
60a5925c91383e9fa602e83b3e4df1dcae050c8f80a3559a7431d02e2f888404acfc17edc72c1fb6a0efd05fd26b7a80c2191266360e934ef4d830b2d11a1cee

Download Submit
memory/1260-372-0x000000001AF30000-0x000000001AFB0000-memory.dmp

Filesize
512KB

Download
memory/1260-357-0x0000000000AF0000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/1260-371-0x000007FEF2AD0000-0x000007FEF34BC000-memory.dmp

Filesize
9.9MB

Download
memory/1548-361-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1548-360-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1548-359-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/1548-362-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1608-350-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/1608-346-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/1608-347-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/1668-6-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/1668-5-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/1668-1-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1668-3-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/1668-2-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/1668-155-0x000000001B410000-0x000000001B490000-memory.dmp

Filesize
512KB

Download
memory/1668-4-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1668-143-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1668-7-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/1668-273-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1668-0-0x0000000000CF0000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/1668-8-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1988-353-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/1988-358-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1988-354-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2044-342-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2044-343-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2044-345-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2044-344-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-368-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2148-369-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2148-367-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2148-370-0x0000000002400000-0x0000000002480000-memory.dmp

Filesize
512KB

Download
memory/2180-334-0x000000000292B000-0x0000000002992000-memory.dmp

Filesize
412KB

Download
memory/2180-331-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/2180-326-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2180-325-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-338-0x0000000002B2B000-0x0000000002B92000-memory.dmp

Filesize
412KB

Download
memory/2196-327-0x0000000002B24000-0x0000000002B27000-memory.dmp

Filesize
12KB

Download
memory/2196-324-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2196-323-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-290-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/2356-332-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/2356-335-0x000000000273B000-0x00000000027A2000-memory.dmp

Filesize
412KB

Download
memory/2356-291-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2356-321-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2356-322-0x0000000002730000-0x00000000027B0000-memory.dmp

Filesize
512KB

Download
memory/2356-329-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-330-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2680-337-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/2680-328-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-333-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2680-340-0x00000000028AB000-0x0000000002912000-memory.dmp

Filesize
412KB

Download
memory/2712-365-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2712-366-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2712-364-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-363-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2808-336-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-341-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/2808-339-0x0000000002420000-0x00000000024A0000-memory.dmp

Filesize
512KB

Download
memory/3024-352-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/3024-348-0x000007FEEDA90000-0x000007FEEE42D000-memory.dmp

Filesize
9.6MB

Download
memory/3024-349-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/3024-351-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download