dcrat | 0e73be00fb48868adb24c8efefd7dd657b76cb668031b0aec10acb7d089be563

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
Size

1.1MB
MD5

7e3fc0585f620c6b0f37da94e6bab530
SHA1

655e53dd3beac3ea341445851fc5a081a2aa6467
SHA256

0e73be00fb48868adb24c8efefd7dd657b76cb668031b0aec10acb7d089be563
SHA512

10cd059d42a81c688a65dda526ff3ed183ce681bb2a0e98f54dddc283102b2310e0759bdb286188bf13605962dc41bdfe63542a53427b5ad1c655cec6dfff085
SSDEEP

12288:El+4Tcyct/JWT7yckBlepmbMsBXYHOWyAh5+djVyKDGpiRe7FaS+ug82qGeJ3btU:Zyc5JWackYm7dZ1Oq2nn2qPJ3btV3+f

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2708	schtasks.exe	10
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2708	schtasks.exe	10

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2212-0-0x00000000002E0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/files/0x0005000000019487-17.dat	dcrat
behavioral1/memory/2212-22-0x000000001B040000-0x000000001B0C0000-memory.dmp	dcrat
behavioral1/files/0x0005000000019fef-62.dat	dcrat
behavioral1/files/0x000700000001a417-130.dat	dcrat
behavioral1/files/0x00070000000194a4-141.dat	dcrat
behavioral1/files/0x00060000000195bf-184.dat	dcrat
behavioral1/files/0x00090000000195c3-230.dat	dcrat
behavioral1/files/0x00060000000195d9-264.dat	dcrat
behavioral1/files/0x00060000000195bf-381.dat	dcrat
behavioral1/files/0x00060000000195bf-380.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1416	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\42af1c969fbb7b	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files\Windows Journal\RCXDA28.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXE130.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RCXCDFD.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\RCXD524.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files\Windows Journal\audiodg.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\System.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\winlogon.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RCXCDFE.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\explorer.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\System.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\27d1bcfc3c54e0	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\RCXD525.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXE140.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXF473.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files\DVD Maker\ja-JP\explorer.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files\Windows Journal\audiodg.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\6cb0b6c459d5d3	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\cc11b995f2a76d	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCXEDC8.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXF472.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files\DVD Maker\ja-JP\7a0fd90576e088	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files\Windows Journal\RCXD9AB.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCXEDB8.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\winlogon.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\0a1fd5f707cd16	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\smss.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\27d1bcfc3c54e0	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Windows\twain_32\RCXCB7B.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Windows\twain_32\RCXCBF9.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\RCXDC2C.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Windows\twain_32\sppsvc.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File created	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\System.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\RCXDC9A.tmp	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\System.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
File opened for modification	C:\Windows\twain_32\sppsvc.exe	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
768	schtasks.exe
2036	schtasks.exe
1400	schtasks.exe
1656	schtasks.exe
2648	schtasks.exe
1148	schtasks.exe
2504	schtasks.exe
2672	schtasks.exe
2696	schtasks.exe
1700	schtasks.exe
940	schtasks.exe
2588	schtasks.exe
1132	schtasks.exe
1540	schtasks.exe
2316	schtasks.exe
1100	schtasks.exe
1208	schtasks.exe
784	schtasks.exe
1676	schtasks.exe
2604	schtasks.exe
1112	schtasks.exe
2472	schtasks.exe
3056	schtasks.exe
1416	schtasks.exe
1536	schtasks.exe
1712	schtasks.exe
1688	schtasks.exe
520	schtasks.exe
2060	schtasks.exe
2796	schtasks.exe
2656	schtasks.exe
780	schtasks.exe
1164	schtasks.exe
3004	schtasks.exe
1592	schtasks.exe
2572	schtasks.exe
2864	schtasks.exe
392	schtasks.exe
1772	schtasks.exe
2152	schtasks.exe
2740	schtasks.exe
2924	schtasks.exe
1224	schtasks.exe
888	schtasks.exe
2888	schtasks.exe
2684	schtasks.exe
588	schtasks.exe
2548	schtasks.exe
2516	schtasks.exe
2676	schtasks.exe
2748	schtasks.exe
2932	schtasks.exe
704	schtasks.exe
1308	schtasks.exe
2972	schtasks.exe
2784	schtasks.exe
1480	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1416	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
2856	powershell.exe
2236	powershell.exe
1676	powershell.exe
2164	powershell.exe
1132	powershell.exe
2792	powershell.exe
3064	powershell.exe
1400	powershell.exe
2628	powershell.exe
2464	powershell.exe
3060	powershell.exe
1808	powershell.exe
1416	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1416	sppsvc.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2792	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	88
PID 2212 wrote to memory of 2792	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	88
PID 2212 wrote to memory of 2792	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	88
PID 2212 wrote to memory of 2628	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	90
PID 2212 wrote to memory of 2628	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	90
PID 2212 wrote to memory of 2628	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	90
PID 2212 wrote to memory of 1808	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	93
PID 2212 wrote to memory of 1808	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	93
PID 2212 wrote to memory of 1808	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	93
PID 2212 wrote to memory of 2856	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	92
PID 2212 wrote to memory of 2856	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	92
PID 2212 wrote to memory of 2856	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	92
PID 2212 wrote to memory of 3060	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	95
PID 2212 wrote to memory of 3060	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	95
PID 2212 wrote to memory of 3060	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	95
PID 2212 wrote to memory of 1132	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	110
PID 2212 wrote to memory of 1132	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	110
PID 2212 wrote to memory of 1132	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	110
PID 2212 wrote to memory of 2164	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	109
PID 2212 wrote to memory of 2164	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	109
PID 2212 wrote to memory of 2164	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	109
PID 2212 wrote to memory of 1676	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	96
PID 2212 wrote to memory of 1676	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	96
PID 2212 wrote to memory of 1676	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	96
PID 2212 wrote to memory of 2464	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	108
PID 2212 wrote to memory of 2464	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	108
PID 2212 wrote to memory of 2464	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	108
PID 2212 wrote to memory of 3064	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	107
PID 2212 wrote to memory of 3064	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	107
PID 2212 wrote to memory of 3064	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	107
PID 2212 wrote to memory of 1400	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	106
PID 2212 wrote to memory of 1400	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	106
PID 2212 wrote to memory of 1400	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	106
PID 2212 wrote to memory of 2236	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	97
PID 2212 wrote to memory of 2236	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	97
PID 2212 wrote to memory of 2236	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	97
PID 2212 wrote to memory of 2576	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	112
PID 2212 wrote to memory of 2576	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	112
PID 2212 wrote to memory of 2576	2212	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe	112
PID 2576 wrote to memory of 2156	2576	cmd.exe	114
PID 2576 wrote to memory of 2156	2576	cmd.exe	114
PID 2576 wrote to memory of 2156	2576	cmd.exe	114
PID 2576 wrote to memory of 1416	2576	cmd.exe	115
PID 2576 wrote to memory of 1416	2576	cmd.exe	115
PID 2576 wrote to memory of 1416	2576	cmd.exe	115
PID 2576 wrote to memory of 1416	2576	cmd.exe	115
PID 2576 wrote to memory of 1416	2576	cmd.exe	115

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Links\Idle.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\Idle.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\ja-JP\explorer.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\sppsvc.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2972

C:\Users\Admin\AppData\Local\Temp\NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7e3fc0585f620c6b0f37da94e6bab530_JC.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H0NrRN2AKE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2156
- - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe
    "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Recorded TV\Sample Media\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\Sample Media\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\dc2a2482-6fc2-11ee-ac24-e54deae2f792\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RCXE6B1.tmp

Filesize
1.1MB

MD5
66822510781dc186ab8b941b992edb68

SHA1
42ea27380691ccfd5ec3bedd64c3a8ee6516558f

SHA256
bd554a4eed56aa498439f57c499d907e5c84408009362a248e02f48d511f29b3

SHA512
a28c2255640fd94915b3083fbce8a607e6c4f3f597f5f69bc87764c4dda3d4ac5b7d9ec37887cd7d72c6f67e283e22729ffe28493c90ab48a7491e974178cae8

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe

Filesize
1.1MB

MD5
66822510781dc186ab8b941b992edb68

SHA1
42ea27380691ccfd5ec3bedd64c3a8ee6516558f

SHA256
bd554a4eed56aa498439f57c499d907e5c84408009362a248e02f48d511f29b3

SHA512
a28c2255640fd94915b3083fbce8a607e6c4f3f597f5f69bc87764c4dda3d4ac5b7d9ec37887cd7d72c6f67e283e22729ffe28493c90ab48a7491e974178cae8

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe

Filesize
1.1MB

MD5
66822510781dc186ab8b941b992edb68

SHA1
42ea27380691ccfd5ec3bedd64c3a8ee6516558f

SHA256
bd554a4eed56aa498439f57c499d907e5c84408009362a248e02f48d511f29b3

SHA512
a28c2255640fd94915b3083fbce8a607e6c4f3f597f5f69bc87764c4dda3d4ac5b7d9ec37887cd7d72c6f67e283e22729ffe28493c90ab48a7491e974178cae8

Download Submit
C:\Program Files (x86)\Microsoft Office\Templates\System.exe

Filesize
1.1MB

MD5
7e3fc0585f620c6b0f37da94e6bab530

SHA1
655e53dd3beac3ea341445851fc5a081a2aa6467

SHA256
0e73be00fb48868adb24c8efefd7dd657b76cb668031b0aec10acb7d089be563

SHA512
10cd059d42a81c688a65dda526ff3ed183ce681bb2a0e98f54dddc283102b2310e0759bdb286188bf13605962dc41bdfe63542a53427b5ad1c655cec6dfff085

Download Submit
C:\Program Files\Windows Journal\audiodg.exe

Filesize
1.1MB

MD5
a4cec2f7d42ea674a38cd521973e6c7c

SHA1
ea288e7fab3f5e860b2ee161c312af240e9a3f4c

SHA256
cdf6a9e4f7b254c0a923a378a7faa8051ea402e0d5d29e7b7fcf3fb17f28106e

SHA512
7d13819bd7c39d0d3551424281c8870a01e2a98474a048523a19ddc42cb424115cc9d39604111665dd830378e50c775b8ebd2e9fa1d941440961d7939f5d62c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\H0NrRN2AKE.bat

Filesize
251B

MD5
c4bdb78fe0f4e095cb299d860bbd89de

SHA1
5030d9c7fd1b0fd90993a93b172639a0c99b34bd

SHA256
16907d5ae3e23287c40f1f80ab7fdea66b3a282835867cc0425248c016a41b5f

SHA512
8d241034f6e5e43f56921d678c06d9e4cbf35fe8fb9dda82a4f8940ba76f83d33749e98b91f5b0744359e369b157a378d64a344c668c96a0b44d9e7271275b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a5d922c6f0b59bf5856cdee870c1698

SHA1
4012b4d3def89cb3c04fe2b577719b40b5394372

SHA256
1445c22b62daa75eee32c6b769ac19fca2fb3711e302fab521d3c6b3e580b411

SHA512
656e1a019d6ea551aeeb6e3e18937c0b18c24b20e7b8b232e2d58e8540f9a24e93cf5b30fceaa7996ac96b5284d6f9f5e2f805ec739439188a0ce24d8bb39e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a5d922c6f0b59bf5856cdee870c1698

SHA1
4012b4d3def89cb3c04fe2b577719b40b5394372

SHA256
1445c22b62daa75eee32c6b769ac19fca2fb3711e302fab521d3c6b3e580b411

SHA512
656e1a019d6ea551aeeb6e3e18937c0b18c24b20e7b8b232e2d58e8540f9a24e93cf5b30fceaa7996ac96b5284d6f9f5e2f805ec739439188a0ce24d8bb39e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a5d922c6f0b59bf5856cdee870c1698

SHA1
4012b4d3def89cb3c04fe2b577719b40b5394372

SHA256
1445c22b62daa75eee32c6b769ac19fca2fb3711e302fab521d3c6b3e580b411

SHA512
656e1a019d6ea551aeeb6e3e18937c0b18c24b20e7b8b232e2d58e8540f9a24e93cf5b30fceaa7996ac96b5284d6f9f5e2f805ec739439188a0ce24d8bb39e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a5d922c6f0b59bf5856cdee870c1698

SHA1
4012b4d3def89cb3c04fe2b577719b40b5394372

SHA256
1445c22b62daa75eee32c6b769ac19fca2fb3711e302fab521d3c6b3e580b411

SHA512
656e1a019d6ea551aeeb6e3e18937c0b18c24b20e7b8b232e2d58e8540f9a24e93cf5b30fceaa7996ac96b5284d6f9f5e2f805ec739439188a0ce24d8bb39e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a5d922c6f0b59bf5856cdee870c1698

SHA1
4012b4d3def89cb3c04fe2b577719b40b5394372

SHA256
1445c22b62daa75eee32c6b769ac19fca2fb3711e302fab521d3c6b3e580b411

SHA512
656e1a019d6ea551aeeb6e3e18937c0b18c24b20e7b8b232e2d58e8540f9a24e93cf5b30fceaa7996ac96b5284d6f9f5e2f805ec739439188a0ce24d8bb39e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a5d922c6f0b59bf5856cdee870c1698

SHA1
4012b4d3def89cb3c04fe2b577719b40b5394372

SHA256
1445c22b62daa75eee32c6b769ac19fca2fb3711e302fab521d3c6b3e580b411

SHA512
656e1a019d6ea551aeeb6e3e18937c0b18c24b20e7b8b232e2d58e8540f9a24e93cf5b30fceaa7996ac96b5284d6f9f5e2f805ec739439188a0ce24d8bb39e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a5d922c6f0b59bf5856cdee870c1698

SHA1
4012b4d3def89cb3c04fe2b577719b40b5394372

SHA256
1445c22b62daa75eee32c6b769ac19fca2fb3711e302fab521d3c6b3e580b411

SHA512
656e1a019d6ea551aeeb6e3e18937c0b18c24b20e7b8b232e2d58e8540f9a24e93cf5b30fceaa7996ac96b5284d6f9f5e2f805ec739439188a0ce24d8bb39e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a5d922c6f0b59bf5856cdee870c1698

SHA1
4012b4d3def89cb3c04fe2b577719b40b5394372

SHA256
1445c22b62daa75eee32c6b769ac19fca2fb3711e302fab521d3c6b3e580b411

SHA512
656e1a019d6ea551aeeb6e3e18937c0b18c24b20e7b8b232e2d58e8540f9a24e93cf5b30fceaa7996ac96b5284d6f9f5e2f805ec739439188a0ce24d8bb39e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a5d922c6f0b59bf5856cdee870c1698

SHA1
4012b4d3def89cb3c04fe2b577719b40b5394372

SHA256
1445c22b62daa75eee32c6b769ac19fca2fb3711e302fab521d3c6b3e580b411

SHA512
656e1a019d6ea551aeeb6e3e18937c0b18c24b20e7b8b232e2d58e8540f9a24e93cf5b30fceaa7996ac96b5284d6f9f5e2f805ec739439188a0ce24d8bb39e5b

Download Submit
C:\Users\Default\Desktop\explorer.exe

Filesize
1.1MB

MD5
7cdab1003822f5969ccea8cf214910a1

SHA1
f5f32db3b3c7ad4ae87ed8597f81a21c099b205b

SHA256
1c3c44a2697e99a489b97c48f8187818848ccc4fc72b485f8e64ebcf15408575

SHA512
cf707c507251742170aaf636a604239f963cd217a9a74345a9fb17f05a3d45135770bd39b6ff91e4a1dc238cb7d569f73c36373a15d1925292abef6d1478b0a3

Download Submit
C:\Users\Public\Pictures\Sample Pictures\wininit.exe

Filesize
1.1MB

MD5
b9c3fd50dc2f129deffcff1536716590

SHA1
9ac8257aa069b84a86bd9098bee76045da2c1a4a

SHA256
0b431233919e817beeda162e9d2f08ac54780ef452a73f16f91fa2afabb6bb01

SHA512
db939c0f286acb289b951c56c508e340e6d1bf2cd7344644d40fd66150c71ed1b5187dc7434e9bad7de7c4337b3adfe5af9b66f8c31f426b5a7a939b137b9b3e

Download Submit
C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\System.exe

Filesize
1.1MB

MD5
edc68c117873344a068b7ce59750f6d3

SHA1
df8f535f859b22542197933ed0e8bf5e08cca9e6

SHA256
19d1987a929aeeca5fe94e7ee2a8a1d5072304f84d36fb0721f695f406ad8004

SHA512
2cb68539dc074c89167a5b5189c1263c0bc4e77835e70bb31a5440dfe7ab299e3bc6bcc77b3380f623e3507d95c83446eddadd037380f63c54823f6ee7a166db

Download Submit
C:\Windows\twain_32\sppsvc.exe

Filesize
1.1MB

MD5
ed743f9b1a669df61c403550f6f56791

SHA1
d646615b50fcab3e3f0fd99335838eff87d6cad4

SHA256
233d9b87de2a024133ceae30710be835f61727dfb603350ef9c69461847629c1

SHA512
eacbe731db4392d7cc8d6ab44781145d1d7cd67d0f426aec788d8aaec241b8a93db1e3d20320e913fc826b184c657fc373475f1ae9b1d79e725d505ab133c490

Download Submit
memory/1132-352-0x0000000001E04000-0x0000000001E07000-memory.dmp

Filesize
12KB

Download
memory/1132-357-0x0000000001E0B000-0x0000000001E72000-memory.dmp

Filesize
412KB

Download
memory/1132-347-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/1400-353-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/1400-364-0x00000000023CB000-0x0000000002432000-memory.dmp

Filesize
412KB

Download
memory/1400-345-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/1400-356-0x00000000023C4000-0x00000000023C7000-memory.dmp

Filesize
12KB

Download
memory/1400-344-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/1676-333-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/1676-336-0x000000000282B000-0x0000000002892000-memory.dmp

Filesize
412KB

Download
memory/1676-331-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/1808-355-0x0000000001EBB000-0x0000000001F22000-memory.dmp

Filesize
412KB

Download
memory/1808-327-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1808-351-0x0000000001EB4000-0x0000000001EB7000-memory.dmp

Filesize
12KB

Download
memory/1808-348-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-368-0x0000000001EB4000-0x0000000001EB7000-memory.dmp

Filesize
12KB

Download
memory/2164-360-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2164-373-0x0000000001EBB000-0x0000000001F22000-memory.dmp

Filesize
412KB

Download
memory/2212-2-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2212-276-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-6-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2212-8-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2212-18-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-0-0x00000000002E0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2212-5-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2212-4-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/2212-3-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/2212-22-0x000000001B040000-0x000000001B0C0000-memory.dmp

Filesize
512KB

Download
memory/2212-1-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-7-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2236-359-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-358-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2236-372-0x00000000024BB000-0x0000000002522000-memory.dmp

Filesize
412KB

Download
memory/2236-343-0x00000000024B0000-0x0000000002530000-memory.dmp

Filesize
512KB

Download
memory/2236-367-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/2236-342-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-328-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2464-370-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2464-377-0x0000000002684000-0x0000000002687000-memory.dmp

Filesize
12KB

Download
memory/2464-376-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2464-365-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-354-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-366-0x000000000298B000-0x00000000029F2000-memory.dmp

Filesize
412KB

Download
memory/2628-330-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-335-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2628-339-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2628-337-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2628-362-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/2792-349-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/2792-346-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-329-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-350-0x00000000025BB000-0x0000000002622000-memory.dmp

Filesize
412KB

Download
memory/2792-332-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-334-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/2856-369-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/2856-361-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/2856-374-0x00000000024EB000-0x0000000002552000-memory.dmp

Filesize
412KB

Download
memory/3060-371-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/3060-363-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/3060-375-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/3060-378-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/3064-340-0x00000000029C4000-0x00000000029C7000-memory.dmp

Filesize
12KB

Download
memory/3064-338-0x000007FEECE70000-0x000007FEED80D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-341-0x00000000029CB000-0x0000000002A32000-memory.dmp

Filesize
412KB

Download