dcrat | bb676a031583052274837784f3485223606d83d9bfbdfdea45628ac829b365e3

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a7c993e01ad5ed33ba8680de9539080N.exe
Size

4.9MB
MD5

6a7c993e01ad5ed33ba8680de9539080
SHA1

7ea79ce18d23cfe9d2519d89ec01183f7c375792
SHA256

bb676a031583052274837784f3485223606d83d9bfbdfdea45628ac829b365e3
SHA512

9a718c2912ffe013d669d9a9df5891d890ae88222ab2349515962b8bb03a2aa063674629adc1481a97bd3f1b9afd6410c918bf68db5003a89a6762e2fc684104
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2428	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2428	schtasks.exe

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wininit.exewininit.exewininit.exewininit.exe6a7c993e01ad5ed33ba8680de9539080N.exewininit.exewininit.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6a7c993e01ad5ed33ba8680de9539080N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6a7c993e01ad5ed33ba8680de9539080N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a7c993e01ad5ed33ba8680de9539080N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1960-3-0x000000001B890000-0x000000001B9BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2128	powershell.exe
2400	powershell.exe
2848	powershell.exe
2980	powershell.exe
1660	powershell.exe
1520	powershell.exe
2124	powershell.exe
1848	powershell.exe
1636	powershell.exe
1512	powershell.exe
2168	powershell.exe
1264	powershell.exe

Executes dropped EXE 7 IoCs

Processes:

wininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

pid process

1648 wininit.exe
2304 wininit.exe
2560 wininit.exe
1568 wininit.exe
660 wininit.exe
1664 wininit.exe
1720 wininit.exe

pid	process
1648	wininit.exe
2304	wininit.exe
2560	wininit.exe
1568	wininit.exe
660	wininit.exe
1664	wininit.exe
1720	wininit.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wininit.exewininit.exewininit.exewininit.exe6a7c993e01ad5ed33ba8680de9539080N.exewininit.exewininit.exewininit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a7c993e01ad5ed33ba8680de9539080N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6a7c993e01ad5ed33ba8680de9539080N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Drops file in Program Files directory 24 IoCs

Processes:

6a7c993e01ad5ed33ba8680de9539080N.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\RCXD4AA.tmp	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\audiodg.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\6cb0b6c459d5d3	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files (x86)\Internet Explorer\smss.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\lsass.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\42af1c969fbb7b	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\6cb0b6c459d5d3	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\dwm.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files\Windows Sidebar\it-IT\lsass.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\dwm.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\dwm.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files\Windows Sidebar\it-IT\6203df4a6bafc7	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXBDA6.tmp	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\RCXC21B.tmp	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\audiodg.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\b75386f1303e64	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\dwm.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Program Files (x86)\Internet Explorer\69ddcba757bf72	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCXC41F.tmp	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXC623.tmp	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\smss.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\RCXCA2A.tmp	6a7c993e01ad5ed33ba8680de9539080N.exe

Drops file in Windows directory 5 IoCs

Processes:

6a7c993e01ad5ed33ba8680de9539080N.exe

description	ioc	process
File created	C:\Windows\SchCache\f3b6ecef712a24	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-checkers.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e808428f5eb5f0d8\sppsvc.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Windows\SchCache\RCXCC2E.tmp	6a7c993e01ad5ed33ba8680de9539080N.exe
File opened for modification	C:\Windows\SchCache\spoolsv.exe	6a7c993e01ad5ed33ba8680de9539080N.exe
File created	C:\Windows\SchCache\spoolsv.exe	6a7c993e01ad5ed33ba8680de9539080N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
860	schtasks.exe
1732	schtasks.exe
1704	schtasks.exe
984	schtasks.exe
2512	schtasks.exe
2628	schtasks.exe
2228	schtasks.exe
1096	schtasks.exe
2812	schtasks.exe
952	schtasks.exe
2172	schtasks.exe
2344	schtasks.exe
2612	schtasks.exe
1708	schtasks.exe
2876	schtasks.exe
2856	schtasks.exe
2544	schtasks.exe
2540	schtasks.exe
1352	schtasks.exe
1344	schtasks.exe
1232	schtasks.exe
2816	schtasks.exe
1172	schtasks.exe
1532	schtasks.exe
2636	schtasks.exe
2676	schtasks.exe
1852	schtasks.exe
1956	schtasks.exe
552	schtasks.exe
2996	schtasks.exe
1392	schtasks.exe
2748	schtasks.exe
2536	schtasks.exe
2960	schtasks.exe
1872	schtasks.exe
2928	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

6a7c993e01ad5ed33ba8680de9539080N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

pid	process
1960	6a7c993e01ad5ed33ba8680de9539080N.exe
1960	6a7c993e01ad5ed33ba8680de9539080N.exe
1960	6a7c993e01ad5ed33ba8680de9539080N.exe
1960	6a7c993e01ad5ed33ba8680de9539080N.exe
1960	6a7c993e01ad5ed33ba8680de9539080N.exe
1960	6a7c993e01ad5ed33ba8680de9539080N.exe
1960	6a7c993e01ad5ed33ba8680de9539080N.exe
1520	powershell.exe
1512	powershell.exe
2980	powershell.exe
1660	powershell.exe
1636	powershell.exe
2400	powershell.exe
1848	powershell.exe
2124	powershell.exe
1264	powershell.exe
2168	powershell.exe
2128	powershell.exe
2848	powershell.exe
1648	wininit.exe
2304	wininit.exe
2560	wininit.exe
1568	wininit.exe
660	wininit.exe
1664	wininit.exe
1720	wininit.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1960	6a7c993e01ad5ed33ba8680de9539080N.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1648	wininit.exe
Token: SeDebugPrivilege	2304	wininit.exe
Token: SeDebugPrivilege	2560	wininit.exe
Token: SeDebugPrivilege	1568	wininit.exe
Token: SeDebugPrivilege	660	wininit.exe
Token: SeDebugPrivilege	1664	wininit.exe
Token: SeDebugPrivilege	1720	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6a7c993e01ad5ed33ba8680de9539080N.execmd.exewininit.exeWScript.exewininit.exeWScript.exewininit.exe

description	pid	process	target process
PID 1960 wrote to memory of 1660	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1660	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1660	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1520	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1520	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1520	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1636	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1636	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1636	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1512	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1512	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1512	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2980	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2980	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2980	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2848	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2848	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2848	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2400	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2400	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2400	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2128	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2128	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2128	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2124	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2124	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2124	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1848	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1848	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1848	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1264	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1264	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 1264	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2168	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2168	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2168	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	powershell.exe
PID 1960 wrote to memory of 2524	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	cmd.exe
PID 1960 wrote to memory of 2524	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	cmd.exe
PID 1960 wrote to memory of 2524	1960	6a7c993e01ad5ed33ba8680de9539080N.exe	cmd.exe
PID 2524 wrote to memory of 1780	2524	cmd.exe	w32tm.exe
PID 2524 wrote to memory of 1780	2524	cmd.exe	w32tm.exe
PID 2524 wrote to memory of 1780	2524	cmd.exe	w32tm.exe
PID 2524 wrote to memory of 1648	2524	cmd.exe	wininit.exe
PID 2524 wrote to memory of 1648	2524	cmd.exe	wininit.exe
PID 2524 wrote to memory of 1648	2524	cmd.exe	wininit.exe
PID 1648 wrote to memory of 1136	1648	wininit.exe	WScript.exe
PID 1648 wrote to memory of 1136	1648	wininit.exe	WScript.exe
PID 1648 wrote to memory of 1136	1648	wininit.exe	WScript.exe
PID 1648 wrote to memory of 1832	1648	wininit.exe	WScript.exe
PID 1648 wrote to memory of 1832	1648	wininit.exe	WScript.exe
PID 1648 wrote to memory of 1832	1648	wininit.exe	WScript.exe
PID 1136 wrote to memory of 2304	1136	WScript.exe	wininit.exe
PID 1136 wrote to memory of 2304	1136	WScript.exe	wininit.exe
PID 1136 wrote to memory of 2304	1136	WScript.exe	wininit.exe
PID 2304 wrote to memory of 2528	2304	wininit.exe	WScript.exe
PID 2304 wrote to memory of 2528	2304	wininit.exe	WScript.exe
PID 2304 wrote to memory of 2528	2304	wininit.exe	WScript.exe
PID 2304 wrote to memory of 2516	2304	wininit.exe	WScript.exe
PID 2304 wrote to memory of 2516	2304	wininit.exe	WScript.exe
PID 2304 wrote to memory of 2516	2304	wininit.exe	WScript.exe
PID 2528 wrote to memory of 2560	2528	WScript.exe	wininit.exe
PID 2528 wrote to memory of 2560	2528	WScript.exe	wininit.exe
PID 2528 wrote to memory of 2560	2528	WScript.exe	wininit.exe
PID 2560 wrote to memory of 1244	2560	wininit.exe	WScript.exe

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

Processes:

wininit.exewininit.exewininit.exe6a7c993e01ad5ed33ba8680de9539080N.exewininit.exewininit.exewininit.exewininit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6a7c993e01ad5ed33ba8680de9539080N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6a7c993e01ad5ed33ba8680de9539080N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6a7c993e01ad5ed33ba8680de9539080N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6a7c993e01ad5ed33ba8680de9539080N.exe
"C:\Users\Admin\AppData\Local\Temp\6a7c993e01ad5ed33ba8680de9539080N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9FX11cFJzR.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1780

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1648

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36379527-d8fa-41b1-ac7a-3b8deaccdf41.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2304

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52d5043d-22a9-4599-88ee-aabdd4f42ba5.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d40444b-9dd1-4898-91cb-0172e26dfb97.vbs"
8⤵
PID:1244

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af70f746-3a78-4b63-8130-e61301659c9e.vbs"
10⤵
PID:1604

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:660

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e74ed5b-a4d8-49ea-81af-bc42218ebed3.vbs"
12⤵
PID:2640

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1664

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f189f11-ef02-4443-911e-9443dd454722.vbs"
14⤵
PID:2388

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe"
15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1720

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3add2cc5-fec6-4950-8bc4-8947d4b16ea6.vbs"
16⤵
PID:2832

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d84ffaab-0c1d-447c-9371-12aa2f7bd61b.vbs"
16⤵
PID:1344

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f2071a6-92c7-4772-9223-6a9df58c921b.vbs"
14⤵
PID:2540

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87c51ba7-433a-4753-b469-b7623a55aa69.vbs"
12⤵
PID:2712

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa430813-66bb-4abb-a53f-f06cf31da3fa.vbs"
10⤵
PID:2944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e8c2f3d-e2e5-4949-8166-7be0b46f4bb7.vbs"
8⤵
PID:1868

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf55b30e-7882-4987-bec0-a3b16c0f7099.vbs"
6⤵
PID:2516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28a5382b-0392-4bf2-a672-8aabe6b575e8.vbs"
4⤵
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\uninstall\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SchCache\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\features\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\browser\features\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RCXCE32.tmp

Filesize
4.9MB

MD5
793708607316afe8f6ea78b160c9b32d

SHA1
27b2ca8a6556e28e0a51e9123fedf58e6930b9df

SHA256
c283a3d114d25fe23584d1fe7b8a86f645f03958f7053711e2fd56e99bbfae35

SHA512
03dfe7d68cc447d7755d6fd8b1dcbb4819e8964a3ebf4997c24547b41d8e89c972c1211c91b3ea49400acc063b48f7a96572efacb961435111759fd27408a34f

Download Submit
C:\Program Files (x86)\Internet Explorer\smss.exe

Filesize
4.9MB

MD5
6a7c993e01ad5ed33ba8680de9539080

SHA1
7ea79ce18d23cfe9d2519d89ec01183f7c375792

SHA256
bb676a031583052274837784f3485223606d83d9bfbdfdea45628ac829b365e3

SHA512
9a718c2912ffe013d669d9a9df5891d890ae88222ab2349515962b8bb03a2aa063674629adc1481a97bd3f1b9afd6410c918bf68db5003a89a6762e2fc684104

Download Submit
C:\Users\Admin\AppData\Local\Temp\28a5382b-0392-4bf2-a672-8aabe6b575e8.vbs

Filesize
526B

MD5
396c055648c7100b62549359e9eee360

SHA1
057f4f34f1682c6fffe2e81a100367e37224c8fa

SHA256
a9c4598e70f28e83e40966ce573eef787cc1f32f5efac3fb19729345d304a406

SHA512
d1acc767317467c9d45bd0bbbcd486a748ed136737b5b554861995dd97ffee919a593aef1ec893dbddf9c5fd4fd7e9c5a6f6949453e23dfe9c0e53e1b2ad1ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f189f11-ef02-4443-911e-9443dd454722.vbs

Filesize
750B

MD5
cb4ac4586378a509afbb053d74799e8d

SHA1
79505a41f2457930fcf1d554a2d6ee9cdff56cb8

SHA256
4ef26521aa0c3da280ff99be35be747ee8588cfaf1118f578240e826cc4be062

SHA512
22f17eb2ab5f9426d81547e39f744c3ef635ab5759a157b9ae98e72802c917e41afc185a81afb77d9b9b0b38c83f620c6039c1dcf80a6f6dccfa342cb90058d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\36379527-d8fa-41b1-ac7a-3b8deaccdf41.vbs

Filesize
750B

MD5
7740ef01f740ce56cee59cd459953b8e

SHA1
28f4f2d90d49026c2983fa6f90fbb8070f2f8370

SHA256
3623a7d916433997a3f82c0350649994a568f99380882d9556cff716f75364cd

SHA512
d8fe825703ad0346d3f577acb86f0e638b54b9cd6490ca5038b160300213c8988b46f88cd2e219b903081210528611d0235a9d49e18b9af93e92519243043f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3add2cc5-fec6-4950-8bc4-8947d4b16ea6.vbs

Filesize
750B

MD5
eaed3fcc724c5e6fb662493c8e48e8c7

SHA1
4d2a0971260957c68afc14fda0b6d9d0ebca741d

SHA256
b54a2fe37f78c035078156df69daad446dd8abcd86664e17483afaa387dc095b

SHA512
713551daf38063105092c71c37decadce4df60011da7f06ca0a1653fa98853e0129eafef809e605e60d6dcb2aa91748816fdcf45e78e8fdb7cf14e159ca64fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e74ed5b-a4d8-49ea-81af-bc42218ebed3.vbs

Filesize
749B

MD5
a7eda7eb27fa18c21d4806fa5a71267c

SHA1
b71d9b3a4f4a3175a8e39b862b8f413bf66da861

SHA256
f95f54ddf953da55e2f8d81af83bcea070317d3eb508bdd3de3f46c74083fcca

SHA512
bcf632f51756934e03a7daf4ccbbadbdef6bf9c2686697312229e4883cc2da5baa71a9e639aab71a4f224199438d8d35c1d0bffdf7a9321e3fbff866704e2dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\52d5043d-22a9-4599-88ee-aabdd4f42ba5.vbs

Filesize
750B

MD5
00ecc781e8a8a04ce82eeb3c81074c63

SHA1
b6dd12fc58610fa7a545653d4c78c9f7445c05c4

SHA256
bdabac9a494a824a1808752123d3c5bb47f3aa3c786deacd63f9e2183ced2695

SHA512
58db482c91681c36e9aff1d632bcdbca9fafb022acc7a8570e2e54771cd0bd192a1d842c6816525b4ef9ac0a420cc1e0cb686b1dd65930def5c289c6d7d5b221

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FX11cFJzR.bat

Filesize
239B

MD5
d8892ec2ebc2c88341bbf9cb5be4994b

SHA1
3eef4183e071ce13327fe52e4c5043b5a398f6fb

SHA256
b56c5e83438b8ea8163541b51f20ef9531c52ddf74377e4296538b808e214092

SHA512
51c91d71ddebbf0d7c46a8e7cb805289bd48d8ddf45ace6ef4662616b17cd9382503b0283e7cf823fea8df3d69a1ddc4bae0e649d56889cbac3697d5126fe5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d40444b-9dd1-4898-91cb-0172e26dfb97.vbs

Filesize
750B

MD5
d8e19c2c9c262be701f583b84ef3a916

SHA1
ee306a1ccb2a924f8c123c331d457f2b49b97182

SHA256
7e5488f3f8bfa12fb8df3a20f3385854dce0b4e72ac4c993ff6e83826e2dcac6

SHA512
0567d1178ebcaac2ce1d46d7b3a15506857b7c09a077b61ebe926646bbb208aea7924b300ae83c01c68468e9e53ac15dff6bbad1b8288348b31798eb6fee8751

Download Submit
C:\Users\Admin\AppData\Local\Temp\af70f746-3a78-4b63-8130-e61301659c9e.vbs

Filesize
750B

MD5
43b6eb22a55ebf94e22a1bd9d54419d1

SHA1
892fd1f53c8877aabb9b7dc1b28b0ea3009c3c9c

SHA256
477c47ef3dc0572d9450a1317a2c233ee3a58df71d72d0c812f8f0aa63a1c3a0

SHA512
ec930c7251d75e117ff65cdd465a9ef9db98724f409fe85a5c8cdcc559bcab53b07c44bd083e558b31035961714163f0d2232793462f373de00be2460a596b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFC97.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c387c2c94fe6b59d76d1b0cf8d60bab4

SHA1
a311f2f3e473daba70cb89d50a4718655cf43ccc

SHA256
238d19c1eb64bf2c37e72870e8b332e8cf8be1f368f43169a45bbde856afaa4f

SHA512
2bd0c380ce965bdb78237480217fc069a1c79b80464d4859ec4689e7a5a8b8722e0cfcdae7ab9caf576370549e7b0572fbc812cbe135574dd7939ed8ece8223f

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1512-140-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1520-141-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1568-241-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/1568-240-0x0000000001360000-0x0000000001854000-memory.dmp

Filesize
5.0MB

Download
memory/1648-198-0x0000000000FB0000-0x00000000014A4000-memory.dmp

Filesize
5.0MB

Download
memory/1664-270-0x0000000000110000-0x0000000000604000-memory.dmp

Filesize
5.0MB

Download
memory/1720-285-0x00000000001D0000-0x00000000006C4000-memory.dmp

Filesize
5.0MB

Download
memory/1960-10-0x000000001A9E0000-0x000000001A9F2000-memory.dmp

Filesize
72KB

Download
memory/1960-6-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download
memory/1960-0-0x000007FEF59F3000-0x000007FEF59F4000-memory.dmp

Filesize
4KB

Download
memory/1960-121-0x000007FEF59F3000-0x000007FEF59F4000-memory.dmp

Filesize
4KB

Download
memory/1960-13-0x000000001AA10000-0x000000001AA1E000-memory.dmp

Filesize
56KB

Download
memory/1960-11-0x000000001A9F0000-0x000000001A9FA000-memory.dmp

Filesize
40KB

Download
memory/1960-9-0x0000000002550000-0x000000000255A000-memory.dmp

Filesize
40KB

Download
memory/1960-8-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/1960-7-0x00000000024A0000-0x00000000024B6000-memory.dmp

Filesize
88KB

Download
memory/1960-152-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-5-0x0000000002480000-0x0000000002488000-memory.dmp

Filesize
32KB

Download
memory/1960-12-0x000000001AA00000-0x000000001AA0E000-memory.dmp

Filesize
56KB

Download
memory/1960-16-0x000000001ABC0000-0x000000001ABCC000-memory.dmp

Filesize
48KB

Download
memory/1960-4-0x0000000000950000-0x000000000096C000-memory.dmp

Filesize
112KB

Download
memory/1960-3-0x000000001B890000-0x000000001B9BE000-memory.dmp

Filesize
1.2MB

Download
memory/1960-15-0x000000001ABB0000-0x000000001ABB8000-memory.dmp

Filesize
32KB

Download
memory/1960-2-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-14-0x000000001ABA0000-0x000000001ABA8000-memory.dmp

Filesize
32KB

Download
memory/1960-1-0x0000000000970000-0x0000000000E64000-memory.dmp

Filesize
5.0MB

Download