dcrat | 3e7c17750f02bfba0b1870edaace58265a28d8f15d620393453d9274d7003e3e

Analysis

max time kernel
83s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f675c9590aa70b92af054bbd4e63bb70N.exe
Size

4.9MB
MD5

f675c9590aa70b92af054bbd4e63bb70
SHA1

61b97bb45293faf091855b8c4dc623dc1d6c0068
SHA256

3e7c17750f02bfba0b1870edaace58265a28d8f15d620393453d9274d7003e3e
SHA512

5ff6e8f4b7090bdb784ecae861dd9e0ebb98eac3bdc539de78230be7285d912c49eab30c8b1d956c80004192e028a3505dbe951877c792deb03bc130c72bf5c9
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2768	schtasks.exe	30

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2728-3-0x000000001B640000-0x000000001B76E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2592	powershell.exe
3024	powershell.exe
2560	powershell.exe
1960	powershell.exe
1916	powershell.exe
2580	powershell.exe
824	powershell.exe
568	powershell.exe
1968	powershell.exe
1508	powershell.exe
2972	powershell.exe
3032	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
1448	explorer.exe
1120	explorer.exe
2896	explorer.exe
3024	explorer.exe
1584	explorer.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCX64D2.tmp	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX6763.tmp	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files\DVD Maker\es-ES\b75386f1303e64	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files (x86)\Internet Explorer\6203df4a6bafc7	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\RCX62AF.tmp	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\lsass.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files\DVD Maker\es-ES\taskhost.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files (x86)\Internet Explorer\lsass.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\27d1bcfc3c54e0	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\taskhost.exe	f675c9590aa70b92af054bbd4e63bb70N.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\winlogon.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Windows\fr-FR\cc11b995f2a76d	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Windows\en-US\winlogon.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Windows\en-US\cc11b995f2a76d	f675c9590aa70b92af054bbd4e63bb70N.exe
File created	C:\Windows\rescache\csrss.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Windows\fr-FR\RCX6A8F.tmp	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Windows\fr-FR\winlogon.exe	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Windows\en-US\RCX6F41.tmp	f675c9590aa70b92af054bbd4e63bb70N.exe
File opened for modification	C:\Windows\en-US\winlogon.exe	f675c9590aa70b92af054bbd4e63bb70N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2916	schtasks.exe
2484	schtasks.exe
1904	schtasks.exe
592	schtasks.exe
1128	schtasks.exe
1252	schtasks.exe
2472	schtasks.exe
900	schtasks.exe
2144	schtasks.exe
276	schtasks.exe
2292	schtasks.exe
1120	schtasks.exe
2240	schtasks.exe
1756	schtasks.exe
944	schtasks.exe
2568	schtasks.exe
1992	schtasks.exe
2160	schtasks.exe
3060	schtasks.exe
2864	schtasks.exe
2360	schtasks.exe
3008	schtasks.exe
3004	schtasks.exe
320	schtasks.exe
2388	schtasks.exe
336	schtasks.exe
2600	schtasks.exe
3040	schtasks.exe
2116	schtasks.exe
2464	schtasks.exe
1416	schtasks.exe
2580	schtasks.exe
2656	schtasks.exe
1316	schtasks.exe
1268	schtasks.exe
2632	schtasks.exe
2068	schtasks.exe
1716	schtasks.exe
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2728	f675c9590aa70b92af054bbd4e63bb70N.exe
2728	f675c9590aa70b92af054bbd4e63bb70N.exe
2728	f675c9590aa70b92af054bbd4e63bb70N.exe
3032	powershell.exe
824	powershell.exe
1968	powershell.exe
1916	powershell.exe
2560	powershell.exe
1508	powershell.exe
3024	powershell.exe
2592	powershell.exe
2972	powershell.exe
2580	powershell.exe
568	powershell.exe
1960	powershell.exe
1448	explorer.exe
1120	explorer.exe
2896	explorer.exe
3024	explorer.exe
1584	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	f675c9590aa70b92af054bbd4e63bb70N.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1448	explorer.exe
Token: SeDebugPrivilege	1120	explorer.exe
Token: SeDebugPrivilege	2896	explorer.exe
Token: SeDebugPrivilege	3024	explorer.exe
Token: SeDebugPrivilege	1584	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 1968	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	70
PID 2728 wrote to memory of 1968	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	70
PID 2728 wrote to memory of 1968	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	70
PID 2728 wrote to memory of 2592	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	71
PID 2728 wrote to memory of 2592	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	71
PID 2728 wrote to memory of 2592	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	71
PID 2728 wrote to memory of 3032	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	73
PID 2728 wrote to memory of 3032	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	73
PID 2728 wrote to memory of 3032	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	73
PID 2728 wrote to memory of 3024	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	74
PID 2728 wrote to memory of 3024	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	74
PID 2728 wrote to memory of 3024	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	74
PID 2728 wrote to memory of 1960	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	75
PID 2728 wrote to memory of 1960	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	75
PID 2728 wrote to memory of 1960	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	75
PID 2728 wrote to memory of 2560	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	76
PID 2728 wrote to memory of 2560	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	76
PID 2728 wrote to memory of 2560	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	76
PID 2728 wrote to memory of 1916	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	78
PID 2728 wrote to memory of 1916	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	78
PID 2728 wrote to memory of 1916	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	78
PID 2728 wrote to memory of 1508	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	80
PID 2728 wrote to memory of 1508	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	80
PID 2728 wrote to memory of 1508	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	80
PID 2728 wrote to memory of 568	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	81
PID 2728 wrote to memory of 568	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	81
PID 2728 wrote to memory of 568	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	81
PID 2728 wrote to memory of 2972	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	82
PID 2728 wrote to memory of 2972	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	82
PID 2728 wrote to memory of 2972	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	82
PID 2728 wrote to memory of 824	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	83
PID 2728 wrote to memory of 824	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	83
PID 2728 wrote to memory of 824	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	83
PID 2728 wrote to memory of 2580	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	85
PID 2728 wrote to memory of 2580	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	85
PID 2728 wrote to memory of 2580	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	85
PID 2728 wrote to memory of 2084	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	94
PID 2728 wrote to memory of 2084	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	94
PID 2728 wrote to memory of 2084	2728	f675c9590aa70b92af054bbd4e63bb70N.exe	94
PID 2084 wrote to memory of 3060	2084	cmd.exe	96
PID 2084 wrote to memory of 3060	2084	cmd.exe	96
PID 2084 wrote to memory of 3060	2084	cmd.exe	96
PID 2084 wrote to memory of 1448	2084	cmd.exe	97
PID 2084 wrote to memory of 1448	2084	cmd.exe	97
PID 2084 wrote to memory of 1448	2084	cmd.exe	97
PID 1448 wrote to memory of 1152	1448	explorer.exe	98
PID 1448 wrote to memory of 1152	1448	explorer.exe	98
PID 1448 wrote to memory of 1152	1448	explorer.exe	98
PID 1448 wrote to memory of 420	1448	explorer.exe	99
PID 1448 wrote to memory of 420	1448	explorer.exe	99
PID 1448 wrote to memory of 420	1448	explorer.exe	99
PID 1152 wrote to memory of 1120	1152	WScript.exe	100
PID 1152 wrote to memory of 1120	1152	WScript.exe	100
PID 1152 wrote to memory of 1120	1152	WScript.exe	100
PID 1120 wrote to memory of 1800	1120	explorer.exe	101
PID 1120 wrote to memory of 1800	1120	explorer.exe	101
PID 1120 wrote to memory of 1800	1120	explorer.exe	101
PID 1120 wrote to memory of 2848	1120	explorer.exe	102
PID 1120 wrote to memory of 2848	1120	explorer.exe	102
PID 1120 wrote to memory of 2848	1120	explorer.exe	102
PID 1800 wrote to memory of 2896	1800	WScript.exe	103
PID 1800 wrote to memory of 2896	1800	WScript.exe	103
PID 1800 wrote to memory of 2896	1800	WScript.exe	103
PID 2896 wrote to memory of 1968	2896	explorer.exe	104

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f675c9590aa70b92af054bbd4e63bb70N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f675c9590aa70b92af054bbd4e63bb70N.exe
"C:\Users\Admin\AppData\Local\Temp\f675c9590aa70b92af054bbd4e63bb70N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\74P8KQcPYB.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3060
- - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe
    "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1448
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b54d113-5956-4d5f-9ae1-70d7380dd814.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1120
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a02732f-fd19-4aae-9789-01f147ac17e3.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8f2d065-9250-4e6d-acad-fb41e30a8731.vbs"
        8⤵
        
        PID:1968
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78fdeae9-9653-45f5-b280-6db9e94daf57.vbs"
        10⤵
        
        PID:1924
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d606fc4d-b099-41d5-a432-d271d17da6f4.vbs"
        12⤵
        
        PID:2344
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe"
        13⤵
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd8b3cdf-0b98-450a-b5c9-093998761e3b.vbs"
        14⤵
        
        PID:2180
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe"
        15⤵
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbe22ded-e7c9-4966-a3e2-426ad0ce5c65.vbs"
        16⤵
        
        PID:1084
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe"
        17⤵
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3fe8b2a-9333-4799-a68d-a79559c1c2c9.vbs"
        18⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8879c080-92d7-4778-8fd0-59751aa7e454.vbs"
        18⤵
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7992db92-6af0-4064-b27b-ec437f19a19a.vbs"
        16⤵
        
        PID:388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d38f3970-c127-4931-a2dc-fc694b0e6624.vbs"
        14⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e81cf52e-60fd-406c-b8b6-5a4f5b17f657.vbs"
        12⤵
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abde47d3-34f0-4f27-8ce5-062ec5b26d75.vbs"
        10⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0284cc57-15d9-41bd-82a5-8f10a551f697.vbs"
        8⤵
        
        PID:1532
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99b1473f-6e1c-4cfb-b0c0-c66574b8d637.vbs"
        6⤵
        
        PID:2848
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93be98a1-b5b0-4d3e-8462-0f025d81c2d2.vbs"
      4⤵
      PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\NetHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default\NetHood\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\es-ES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Application Data\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Application Data\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\53190a62-69f6-11ef-9f57-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
4.5MB

MD5
5ebd315454ee948b1ffa054f215c0601

SHA1
99740a6aeb8a4b2a7f3485e082b552f344f44210

SHA256
bc503a0ac9abac4f298a7366b36263f92ada9ffbef72877ca60d7bfd18a06980

SHA512
22b864e59fa46ca6ef3535884c01684d94c82390edfbb49df56b259addcdfc9b6ac831c2e7ae4731861f0ce65d9ab0392c023bb8da1878825f8909df2aed09ff

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
2.6MB

MD5
734838ce9012c40b23ef90a8b15853eb

SHA1
bb6f0a8fcdba75c80ded29119403cfdc88e4f0d5

SHA256
0d3e1084ff6f88490b711565be98fe69b766819cff59a6b3d21b7cbc5b5c1fb1

SHA512
97d07cff701fd2236f4bdf8970668872f70a315036b602398200bcb8d662383133a5003ce00e025818b5848948957cf549538d94094c283852ff2a12168f65d4

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
1.1MB

MD5
d29b5ab7b9d285a70ac9e0a014df3658

SHA1
4cfd2800107393ca99ada081eddbb9bd35c50fec

SHA256
8b8d930f2e203b5e8ecc3b5fa7a63fc7c88ace30fd99941e7b56494b78f8ddf0

SHA512
0daa68d970bb39bb45a71392740892e92e94161d76a24ca826bf0ceb4fc6166ac24f2b816aeb846795614f83d571c0323711701edb968faab0213408a9fa0a11

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System.exe

Filesize
4.9MB

MD5
3cee54b6a13317f1f257dc6185098737

SHA1
0f8209591847b8e2d1ca48990201d0f1c5ed93c1

SHA256
66e7f171c6aa87e15a61fbd039b01b842fe3859e7749500b1288561ae652366b

SHA512
8d0c7eb19673685bb85f74ed133b6684766ecb5b4a37237353deb2777bcbcef44b8314225f33fdb97e731a05fe11c5030d8ece159a40e33ae2a5dcd5f425bffc

Download Submit
C:\Program Files\DVD Maker\es-ES\taskhost.exe

Filesize
4.9MB

MD5
f675c9590aa70b92af054bbd4e63bb70

SHA1
61b97bb45293faf091855b8c4dc623dc1d6c0068

SHA256
3e7c17750f02bfba0b1870edaace58265a28d8f15d620393453d9274d7003e3e

SHA512
5ff6e8f4b7090bdb784ecae861dd9e0ebb98eac3bdc539de78230be7285d912c49eab30c8b1d956c80004192e028a3505dbe951877c792deb03bc130c72bf5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b54d113-5956-4d5f-9ae1-70d7380dd814.vbs

Filesize
751B

MD5
33efb98c0a61ede18dd4f6e6e2b8c448

SHA1
fde6c8658719a0bff79dc3e5322f832ac169431b

SHA256
af166e6418533617f880193666e4bf20cad7dc276e006e230823f39270ecc063

SHA512
9c339f081561af36a934954f3cc8393684d4e30bb222f422b4893999e9d691d8304e32a7a38fe22dad795c0f580344ae4cbe1b2994bfe06435c27af8616037c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\74P8KQcPYB.bat

Filesize
240B

MD5
5c910341c1b49ae996b3bd88147bd58e

SHA1
c58e83cab8ec7eebf956a953b1b0963574952b26

SHA256
b8acd8290fddfe0e14f0cbc74971eefda1ee46e2571cfdaf68ef6df6d9ee395b

SHA512
7dc9b3e2bb18272248f3142a0187a7bc343f5d36394069ca022e8fd57a59384d342ef8e52f21d70d5d1b2998b8df16ff4fbe10ff7527e4b96a2562053b60a861

Download Submit
C:\Users\Admin\AppData\Local\Temp\78fdeae9-9653-45f5-b280-6db9e94daf57.vbs

Filesize
751B

MD5
a3844972bac4b912e60370d79f385583

SHA1
c245b30ca8e08aa90ee2ba818dccebe740a02d9f

SHA256
b1caa7bd2822cbc1e3ddd53a949a4070b22eca120402067bae1a9a1610fb0be6

SHA512
f9f59cd13c398ca5f99e9cb0b8e948b3c9aa51152d93ea0ed81cbed986e9b51da2aa83c9439f0c13ae680084d5bb12b7fcdde1a5d1e91f144a87ccbd3410aae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\790ae7fb75235c796e49c039207532319cbc2f9f.exe

Filesize
3.9MB

MD5
ad123303982f5cfd65522bce65e492ed

SHA1
20ba8c2513c677a392d471ef40fad8c672fa7c92

SHA256
12a0f1cb6209b6bad91f366d7232ac61913dbe5850dd9183c197ed69c44a881e

SHA512
9009b1b72344866019b1e6933816429a8a3e54e6f4303b7090287a3290858268995f83fbba5164da9dd3364d729077b169570c9f570b1ef3fd9819612c187062

Download Submit
C:\Users\Admin\AppData\Local\Temp\790ae7fb75235c796e49c039207532319cbc2f9f.exe

Filesize
2.2MB

MD5
2c24c61da786736b7723b4bf082d9417

SHA1
10f36c5592b6697fca8a2a1240283d3be8865588

SHA256
f45895945222dec16c87ea19aa745cd3a038448fccab1b5f405e3dc11de5bae7

SHA512
933b8457f118f8d83d5e27931bf807936fe0794aed7c7b1cb17c10fe7ad0316aaa8195282300cd00cbd482636cad99497a98fe18e2c6cfc6fd544fdf5cbad50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\790ae7fb75235c796e49c039207532319cbc2f9f.exe

Filesize
663KB

MD5
401c2f88f66a89b5966ecdb3d2468d95

SHA1
379fbfc6b175cf6abe31569dc869f87eedcab4c8

SHA256
af14dcf79f0150ede99e334a3732d4ddb2fc839975afd4f618f89279b0e0249d

SHA512
6f0e6820f41d0bd8f756950d11388c0234a67bfe178a45112d49a00f75c5ab43ba57b6cd6714473c888de16a4f6b77e32254eccc80035e190f0d245f2ab408d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a02732f-fd19-4aae-9789-01f147ac17e3.vbs

Filesize
751B

MD5
881fa671cc9da487127d80357b140cf6

SHA1
1bb5993fe30af7ac238a7066f9e6e9498249005f

SHA256
74477fdabdaf56b6711d622706f2d6d0e6f1f59a75f536aedea80a033ba8a64e

SHA512
88adbc2638e8ae795e4edfca4e20e40904338dc3486867991b2febc30c37a36dddc3d3d830a31d7daa61003b0003497f6528b55470af4b9502c2a91d0f4a7844

Download Submit
C:\Users\Admin\AppData\Local\Temp\93be98a1-b5b0-4d3e-8462-0f025d81c2d2.vbs

Filesize
527B

MD5
32e55e71993ac7ed81f900429d360d9a

SHA1
7b512b713fb14966f48eb1b3d9a1bc0230c7a2be

SHA256
732aaa575b4ae756beafe001a003e68ca4f4bff386577885761bfcccfcdda067

SHA512
0909f9a6665c4173f24d930ced5b1a08aa2921b1787e158f50719cfc2f20045574ddd2a8217fbe6147656cc42543c8d767aee8fcf17fd5351acd3955277d902a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd8b3cdf-0b98-450a-b5c9-093998761e3b.vbs

Filesize
751B

MD5
d8811301d602e6abdfb1c764cde9c5f3

SHA1
bb638df69d3673ff9fb6876bb4471708719d4813

SHA256
c0da35cb2190aa0bb2ec7f9eea87ffc4f6cfef29e71190592a8cfd7ea792e913

SHA512
f221e3d0e1dae564959cefe2266f4603df3e0c75b153a54ae6d9b42e5e2b431589f7c844f90247660e050e21605e14125fa3eb618e4209aeba6af1bb46f95af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3fe8b2a-9333-4799-a68d-a79559c1c2c9.vbs

Filesize
751B

MD5
43f68f1980c7a629d98d7d947212ce08

SHA1
7d3218b25aa6f50b7fa7bf27d4aaee1298aab505

SHA256
44f9d4f214022da159ef93fa480fed5fe7eba4d4c36cfa40c8122cdf913f7e99

SHA512
f55273add9e2ebc4435932268a191b1eb8f5ddfd725c7d0d76ee85fcd15f84e72b1d3d3e7a00ab78cc6029e6ff53ad7671c40581a0406cd89ecff5743383dd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d606fc4d-b099-41d5-a432-d271d17da6f4.vbs

Filesize
751B

MD5
29d2d75a181dca9f0ad42d033831e400

SHA1
6229e22e8adeaf9df1d5d1d64b4015229cbf016a

SHA256
bcd4f616a617408e9bfea6feab7ddff84ad3166da5c512f705c086704d95460e

SHA512
dedc108bf723cc64798b851e4a507f615a3e1678fa783e8a2a04cf1b1bc1750d111163f136e228c2e5775920adaba000e83a1dd39cd06336f663052607a820b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8f2d065-9250-4e6d-acad-fb41e30a8731.vbs

Filesize
751B

MD5
123a2556a5bff66af6fcde2714064c68

SHA1
c23c497027ea73486911cd6b39548d91263844ed

SHA256
e3ba9851ed16913fa82804de34ddf76bad903b9901b7cceb2bc971e79db992ca

SHA512
298eb2ee1828b90fbe9c8cd23644d7f6548cef5d9c4363d08b1e5a2f797efcf85242ded90ce2a8d82a3a79d4c79c5ec7bdd5b02b995903a7005f74d043cbecfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbe22ded-e7c9-4966-a3e2-426ad0ce5c65.vbs

Filesize
751B

MD5
51ab8b279163d2af7d95e034f0c8680f

SHA1
4a3fd914fa5e1ba598879f2fdd27a09f3b5191e3

SHA256
895ab6600efe3ab57751718b4a90bb882e39ac694bd54aa1d9029a477f869d4b

SHA512
c0cd344caed7e4a67f1cea29dc84aa821a33f227daf7ca301241fbc726829a29fa835b408e28a4d11348deb2a36ba2c0f7c82187140ee4e804577984cc82463e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0E1.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cc0c46a635a20f41ca724b875c9dfefb

SHA1
31a5749720329058e3d5c08441e86c645c67e591

SHA256
f9ddebc3f716f43f13528e919838ede1be5118bc6ad3e9739ace7e5301859dc1

SHA512
456ecc75e2a4a7e2e668d0f1c5d3035f91887feb722d93e25dd68c062a95b07cde93814ffddcd8ef3c0cee473bcbc7696739e3a05a8248f2dc6f940b982782df

Download Submit
memory/824-179-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

Filesize
32KB

Download
memory/1120-224-0x00000000011F0000-0x00000000016E4000-memory.dmp

Filesize
5.0MB

Download
memory/1448-210-0x0000000000B80000-0x0000000001074000-memory.dmp

Filesize
5.0MB

Download
memory/1916-159-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2352-313-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2428-297-0x0000000001200000-0x00000000016F4000-memory.dmp

Filesize
5.0MB

Download
memory/2428-298-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2728-13-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/2728-11-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2728-96-0x000007FEF5090000-0x000007FEF5A7C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-86-0x000007FEF5093000-0x000007FEF5094000-memory.dmp

Filesize
4KB

Download
memory/2728-16-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2728-1-0x0000000001210000-0x0000000001704000-memory.dmp

Filesize
5.0MB

Download
memory/2728-15-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/2728-14-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/2728-12-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2728-0-0x000007FEF5093000-0x000007FEF5094000-memory.dmp

Filesize
4KB

Download
memory/2728-2-0x000007FEF5090000-0x000007FEF5A7C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-191-0x000007FEF5090000-0x000007FEF5A7C000-memory.dmp

Filesize
9.9MB

Download
memory/2728-10-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2728-9-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/2728-8-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2728-7-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/2728-6-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2728-5-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/2728-4-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/2728-3-0x000000001B640000-0x000000001B76E000-memory.dmp

Filesize
1.2MB

Download
memory/2732-282-0x0000000000350000-0x0000000000844000-memory.dmp

Filesize
5.0MB

Download
memory/2896-239-0x0000000001280000-0x0000000001774000-memory.dmp

Filesize
5.0MB

Download