dcrat | 7cdfdfd48788451694fbaf74b9577f4b0f2233bdc08dc5989f65affa61ab5b6e

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc13b91c624a83201054fb4958f229f0N.exe
Size

4.9MB
MD5

bc13b91c624a83201054fb4958f229f0
SHA1

e27bb3f83e915fff4a688543cc1c2077f7772683
SHA256

7cdfdfd48788451694fbaf74b9577f4b0f2233bdc08dc5989f65affa61ab5b6e
SHA512

99c8350b74759c11ef9f0a52091127624d0fb2105f836799733bb48104a7e4b6d4fa5cf27588c6f32c43370f4e373a1415b055240778d1a689a20691ba550077
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2444	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2444	schtasks.exe

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bc13b91c624a83201054fb4958f229f0N.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2120-3-0x000000001B4F0000-0x000000001B61E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1352	powershell.exe
1776	powershell.exe
440	powershell.exe
1136	powershell.exe
2596	powershell.exe
2356	powershell.exe
772	powershell.exe
564	powershell.exe
1356	powershell.exe
2240	powershell.exe
2600	powershell.exe
1820	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

pid process

1824 System.exe
2032 System.exe
2280 System.exe
1200 System.exe
2432 System.exe
1988 System.exe
2556 System.exe
1388 System.exe
236 System.exe

pid	process
1824	System.exe
2032	System.exe
2280	System.exe
1200	System.exe
2432	System.exe
1988	System.exe
2556	System.exe
1388	System.exe
236	System.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bc13b91c624a83201054fb4958f229f0N.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bc13b91c624a83201054fb4958f229f0N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Drops file in Program Files directory 16 IoCs

Processes:

bc13b91c624a83201054fb4958f229f0N.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXDD5C.tmp	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\6203df4a6bafc7	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\System.exe	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXDB58.tmp	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\27d1bcfc3c54e0	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files\Mozilla Firefox\fonts\886983d96e3d3e	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCXD472.tmp	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\System.exe	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\csrss.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files\Mozilla Firefox\fonts\csrss.exe	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXCF90.tmp	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cc11b995f2a76d	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe	bc13b91c624a83201054fb4958f229f0N.exe

Drops file in Windows directory 4 IoCs

Processes:

bc13b91c624a83201054fb4958f229f0N.exe

description	ioc	process
File opened for modification	C:\Windows\ehome\de-DE\dllhost.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Windows\ehome\de-DE\dllhost.exe	bc13b91c624a83201054fb4958f229f0N.exe
File created	C:\Windows\ehome\de-DE\5940a34987c991	bc13b91c624a83201054fb4958f229f0N.exe
File opened for modification	C:\Windows\ehome\de-DE\RCXD6E4.tmp	bc13b91c624a83201054fb4958f229f0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2908	schtasks.exe
2912	schtasks.exe
2732	schtasks.exe
2436	schtasks.exe
1992	schtasks.exe
2880	schtasks.exe
2872	schtasks.exe
2788	schtasks.exe
1816	schtasks.exe
2500	schtasks.exe
1616	schtasks.exe
1596	schtasks.exe
2752	schtasks.exe
2636	schtasks.exe
1788	schtasks.exe
1652	schtasks.exe
1532	schtasks.exe
1344	schtasks.exe
1812	schtasks.exe
2976	schtasks.exe
2568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

bc13b91c624a83201054fb4958f229f0N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exepowershell.exepowershell.exepowershell.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

pid	process
2120	bc13b91c624a83201054fb4958f229f0N.exe
2120	bc13b91c624a83201054fb4958f229f0N.exe
2120	bc13b91c624a83201054fb4958f229f0N.exe
564	powershell.exe
2356	powershell.exe
772	powershell.exe
2596	powershell.exe
1820	powershell.exe
440	powershell.exe
2240	powershell.exe
1136	powershell.exe
2600	powershell.exe
1824	System.exe
1352	powershell.exe
1776	powershell.exe
1356	powershell.exe
2032	System.exe
2280	System.exe
1200	System.exe
2432	System.exe
1988	System.exe
2556	System.exe
1388	System.exe
236	System.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

bc13b91c624a83201054fb4958f229f0N.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe

description	pid	process
Token: SeDebugPrivilege	2120	bc13b91c624a83201054fb4958f229f0N.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1824	System.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2032	System.exe
Token: SeDebugPrivilege	2280	System.exe
Token: SeDebugPrivilege	1200	System.exe
Token: SeDebugPrivilege	2432	System.exe
Token: SeDebugPrivilege	1988	System.exe
Token: SeDebugPrivilege	2556	System.exe
Token: SeDebugPrivilege	1388	System.exe
Token: SeDebugPrivilege	236	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bc13b91c624a83201054fb4958f229f0N.exeSystem.exeWScript.exeSystem.exeWScript.exeSystem.exeWScript.exe

description	pid	process	target process
PID 2120 wrote to memory of 2356	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2356	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2356	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1352	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1352	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1352	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 772	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 772	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 772	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1776	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1776	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1776	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 564	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 564	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 564	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 440	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 440	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 440	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1136	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1136	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1136	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1356	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1356	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1356	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2240	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2240	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2240	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2600	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2600	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2600	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2596	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2596	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 2596	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1820	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1820	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1820	2120	bc13b91c624a83201054fb4958f229f0N.exe	powershell.exe
PID 2120 wrote to memory of 1824	2120	bc13b91c624a83201054fb4958f229f0N.exe	System.exe
PID 2120 wrote to memory of 1824	2120	bc13b91c624a83201054fb4958f229f0N.exe	System.exe
PID 2120 wrote to memory of 1824	2120	bc13b91c624a83201054fb4958f229f0N.exe	System.exe
PID 1824 wrote to memory of 1764	1824	System.exe	WScript.exe
PID 1824 wrote to memory of 1764	1824	System.exe	WScript.exe
PID 1824 wrote to memory of 1764	1824	System.exe	WScript.exe
PID 1824 wrote to memory of 2960	1824	System.exe	WScript.exe
PID 1824 wrote to memory of 2960	1824	System.exe	WScript.exe
PID 1824 wrote to memory of 2960	1824	System.exe	WScript.exe
PID 1764 wrote to memory of 2032	1764	WScript.exe	System.exe
PID 1764 wrote to memory of 2032	1764	WScript.exe	System.exe
PID 1764 wrote to memory of 2032	1764	WScript.exe	System.exe
PID 2032 wrote to memory of 1584	2032	System.exe	WScript.exe
PID 2032 wrote to memory of 1584	2032	System.exe	WScript.exe
PID 2032 wrote to memory of 1584	2032	System.exe	WScript.exe
PID 2032 wrote to memory of 2896	2032	System.exe	WScript.exe
PID 2032 wrote to memory of 2896	2032	System.exe	WScript.exe
PID 2032 wrote to memory of 2896	2032	System.exe	WScript.exe
PID 1584 wrote to memory of 2280	1584	WScript.exe	System.exe
PID 1584 wrote to memory of 2280	1584	WScript.exe	System.exe
PID 1584 wrote to memory of 2280	1584	WScript.exe	System.exe
PID 2280 wrote to memory of 628	2280	System.exe	WScript.exe
PID 2280 wrote to memory of 628	2280	System.exe	WScript.exe
PID 2280 wrote to memory of 628	2280	System.exe	WScript.exe
PID 2280 wrote to memory of 2176	2280	System.exe	WScript.exe
PID 2280 wrote to memory of 2176	2280	System.exe	WScript.exe
PID 2280 wrote to memory of 2176	2280	System.exe	WScript.exe
PID 628 wrote to memory of 1200	628	WScript.exe	System.exe

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exebc13b91c624a83201054fb4958f229f0N.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bc13b91c624a83201054fb4958f229f0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bc13b91c624a83201054fb4958f229f0N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bc13b91c624a83201054fb4958f229f0N.exe
"C:\Users\Admin\AppData\Local\Temp\bc13b91c624a83201054fb4958f229f0N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Program Files\Windows Photo Viewer\de-DE\System.exe
  "C:\Program Files\Windows Photo Viewer\de-DE\System.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1824
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbc1e25c-c4d5-46d6-8609-c07859c18cd3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Program Files\Windows Photo Viewer\de-DE\System.exe
      "C:\Program Files\Windows Photo Viewer\de-DE\System.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2032
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4791a0c9-78c3-4452-9994-6aff1d576742.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Program Files\Windows Photo Viewer\de-DE\System.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\System.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73eabf65-5c60-4609-8eed-4aec75e7c8ad.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Program Files\Windows Photo Viewer\de-DE\System.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\System.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40dbf9e5-a7bb-4bfd-85d6-c0c272103c7e.vbs"
        9⤵
        
        PID:1532
        
        C:\Program Files\Windows Photo Viewer\de-DE\System.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\System.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b1b3234-c453-42b6-b65a-6b21475ede7d.vbs"
        11⤵
        
        PID:2876
        
        C:\Program Files\Windows Photo Viewer\de-DE\System.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\System.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aee0c566-8db6-4040-8bdb-912b87fd1713.vbs"
        13⤵
        
        PID:2068
        
        C:\Program Files\Windows Photo Viewer\de-DE\System.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\System.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afbf69f7-f46a-46a6-9d20-f3b3eb68da6a.vbs"
        15⤵
        
        PID:1672
        
        C:\Program Files\Windows Photo Viewer\de-DE\System.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\System.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9d0b4d2-a8aa-4aee-9e8c-ad2844def313.vbs"
        17⤵
        
        PID:956
        
        C:\Program Files\Windows Photo Viewer\de-DE\System.exe
        
        "C:\Program Files\Windows Photo Viewer\de-DE\System.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8656d12-f010-44a4-a585-8010416dae87.vbs"
        19⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb3668ab-fe09-4eec-8cc8-866a37fa4311.vbs"
        19⤵
        
        PID:596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\351ba695-f3e2-4ea0-8601-eee5b190d972.vbs"
        17⤵
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\115de075-4ea4-476c-9e51-620a22cc9eae.vbs"
        15⤵
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3667f356-01ca-42df-a6c9-a471d46151fb.vbs"
        13⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e26150b0-f039-45b9-8ec9-e3c9804ca934.vbs"
        11⤵
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c90748dd-cfae-44b4-9ee4-105a306118b4.vbs"
        9⤵
        
        PID:1104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56017644-dd5b-44df-aaa7-0afbe57b86f5.vbs"
        7⤵
        
        PID:2176
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\484fbb92-1c5d-4f8c-9a95-f83d91f00151.vbs"
        5⤵
        
        PID:2896
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e43e44a8-18f9-47be-b1a1-db71a1bab459.vbs"
    3⤵
    PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ehome\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe

Filesize
4.9MB

MD5
bc13b91c624a83201054fb4958f229f0

SHA1
e27bb3f83e915fff4a688543cc1c2077f7772683

SHA256
7cdfdfd48788451694fbaf74b9577f4b0f2233bdc08dc5989f65affa61ab5b6e

SHA512
99c8350b74759c11ef9f0a52091127624d0fb2105f836799733bb48104a7e4b6d4fa5cf27588c6f32c43370f4e373a1415b055240778d1a689a20691ba550077

Download Submit
C:\Users\Admin\AppData\Local\Temp\40dbf9e5-a7bb-4bfd-85d6-c0c272103c7e.vbs

Filesize
730B

MD5
72a65fcdd4b38c315afb89bb7132f745

SHA1
70c58f2e54cf7b07cb0d5cb005d78f81281f717f

SHA256
1782a6bb745ba2e7e0d9c4576c1b8deebfc459183071c218c2ccd05137865b01

SHA512
01630b86b9ef5fc6c06b5ca49ee8ebff53ba92260356d3d5d6731b1fedd75f41fe4ac4c55dc0d8bac47c773647a8284f96ce85bdf7f9735311af9eebfee574d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4791a0c9-78c3-4452-9994-6aff1d576742.vbs

Filesize
730B

MD5
bf87ba1b058d63759459ac1c9202590b

SHA1
071cf71fce0af610ce7db2c3dc2aa81498f62865

SHA256
97410b9a365f32a5869b0918fa80a285e22c82566b0230ac20b2672a03ee04d7

SHA512
54596daddb2e168a4589b723e35618e30a916f8f1b974c3d0b590d1ea88b4e23f8a6b9b5b8e7c0ccd8c995ad02efcb3019a45b1174532af4105ccec2a466f152

Download Submit
C:\Users\Admin\AppData\Local\Temp\73eabf65-5c60-4609-8eed-4aec75e7c8ad.vbs

Filesize
730B

MD5
ad7e01cbbaa9d3ab621eae27df01bf96

SHA1
ec7dfead0f14ddf897878c076d3f692ac326dfea

SHA256
298cfc93a2fb2cb89b6b4d71a2fbaece89c0dad0a50d9e22baf7c2a9897e24ef

SHA512
95a098866138e91d61d925ff709d3f03b5cbd5390f2ce4edfb1581fa335c2a4a64f4e42f8cdfe5a246f5a2627c2ae08e39a6ee737cc5611ddc388892aad969c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b1b3234-c453-42b6-b65a-6b21475ede7d.vbs

Filesize
730B

MD5
c013078923e63eed8fc731abcdec7fa7

SHA1
699e379812014c745069cee2218cd850bbc33495

SHA256
364a5f37a83966457c601a554a691d7aa9e1464adf75ba59cf2ce5f2b1d39ee0

SHA512
b6772e2c649f40a4034270b9395114d8717c7fa1e4d99b3e80562a419702747963ce1de7b9395893d24eda985e2d639bddae569cb32cbc7196c1ee49f4af17a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aee0c566-8db6-4040-8bdb-912b87fd1713.vbs

Filesize
730B

MD5
1b705eadf689c70533030ec83f09fdb5

SHA1
097bb7cb40d4e7100084565c65f5953896a2f298

SHA256
7c049018c82bf736f048151f9ec4ca79b3c6628ce69d2db8e83910d0456012d0

SHA512
8996763e9099f90295a6019ff892dcf411a88fb1595fb7c7946d672f52b20082654a76fb73d24b01b1869fb2c6ec341b61be1ff84b0a9edbde0444facb81f210

Download Submit
C:\Users\Admin\AppData\Local\Temp\afbf69f7-f46a-46a6-9d20-f3b3eb68da6a.vbs

Filesize
730B

MD5
73059a8127642396a4b65d8edd5c818e

SHA1
11689ba17ba0673c807e25c18d603423d285cd85

SHA256
041d7a02a8ddd4fbeae75b80a5d3cffc562dc719bc038051063fbfbd8e0de2e3

SHA512
f79f683f0309218667b6de266f5187c2f6f03162a404419f18ab747118941e5d697d93246d7f828baa5f1adb497b1d1b909bf2f30f76a056a677c75b7077cec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbc1e25c-c4d5-46d6-8609-c07859c18cd3.vbs

Filesize
730B

MD5
37e36f0cdced58802d51655aa751fa71

SHA1
66a94f938ebff322ad0c93001bd48873e3a56fbb

SHA256
9fcf81dd8ada684c5018f5e20c97285a4dd1ca341bccbe60f421bf7e4f003a63

SHA512
df74fd4054ebfbd1d1f089a035382206558898a8a8e2ee8964915a8796c1c210aa7ec04f88951e4769970e1a725a7ed343414b8c88474fc2d5e7b54cfa6b7291

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8656d12-f010-44a4-a585-8010416dae87.vbs

Filesize
729B

MD5
88fb9110b2476f39d7bafcc6c4a94f54

SHA1
e536e51e8602afff47b96017a3732098b92b9d57

SHA256
72f40fe0127473b1356977135d3facc92a9eb2c60e2322857a9b6d2d1dd70aa5

SHA512
7e4277aae143a0f0d539312464b293b917b499bc28a9aa6c9b412110af7e18dbe8283fd4b2de3b9c8eba3d1b20fe90b54d647f3192b972dcb7c5fbc8e6ddb50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e43e44a8-18f9-47be-b1a1-db71a1bab459.vbs

Filesize
506B

MD5
2ea7257aa892a52322fcb602938b406f

SHA1
375f116bf1e643ef9d546b0847dee3c708f04304

SHA256
84bcdcb1917f3d0a99621d59157c639bfcc7ab34a1641478452431a09392eb67

SHA512
a95abe8299fcdc7fada7b0f6b533ce57223e5c691585f91e28045280af897cab1e921e2bc318fbd7f595db49f66f78214fdc35785674c17baf9fc410a1815618

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9d0b4d2-a8aa-4aee-9e8c-ad2844def313.vbs

Filesize
730B

MD5
925727955b3af154227428d9861a6912

SHA1
7acadb6c1876c94e2865c9a8be217b45905ead9a

SHA256
426a57019e3c93451d33b999abaa995a1b575f0c44716731709cc849b588968f

SHA512
807fe6082687b1acae428c58fdb7f4c3ff10778694de1d5f073ef391b014a24b3ddf2fc81561dec6bbea45c48e708fcffea91538642a5b0f34aadf8129178f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED9A.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9a617903482c22325d869b2483f67453

SHA1
e8dfca4b5bf3eaf326831c154cea6894bbea9aae

SHA256
082a0caae5020a009e9188604915a8dd46df84ef4d686cbc1fad92471ff008f0

SHA512
06e347b1c4885bd310e10fd07464b6779ba02df220135eeace0c2081127d80b5810594566dfca0fabb864ec6337018684ee37bea71cf226eb457e81dd00b8c73

Download Submit
C:\Windows\ehome\de-DE\RCXD6E4.tmp

Filesize
4.9MB

MD5
04e5eea46177bbeb7b9ad51d6b064a19

SHA1
55d573a85aeafe3c950e26e61dd75c655c26c9de

SHA256
7f7366f36ee07ded42ba4dfebc00b099806e23b0203e34d6b8a132f9357e1e01

SHA512
195d022483a446ca2fb92bd819241235298522fc8556674375f2bff01a835d258b65f7cacde55bd3eb0a7f3714b740b59565a7536a9e41c188fe61642ff8d9bf

Download Submit
memory/236-267-0x0000000000310000-0x0000000000804000-memory.dmp

Filesize
5.0MB

Download
memory/564-92-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/564-90-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1200-191-0x00000000000C0000-0x00000000005B4000-memory.dmp

Filesize
5.0MB

Download
memory/1200-192-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/1388-252-0x0000000001390000-0x0000000001884000-memory.dmp

Filesize
5.0MB

Download
memory/1824-85-0x0000000001230000-0x0000000001724000-memory.dmp

Filesize
5.0MB

Download
memory/1988-222-0x00000000012D0000-0x00000000017C4000-memory.dmp

Filesize
5.0MB

Download
memory/2032-161-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/2120-13-0x0000000001180000-0x000000000118E000-memory.dmp

Filesize
56KB

Download
memory/2120-9-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/2120-14-0x0000000001290000-0x0000000001298000-memory.dmp

Filesize
32KB

Download
memory/2120-15-0x00000000012A0000-0x00000000012A8000-memory.dmp

Filesize
32KB

Download
memory/2120-132-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2120-12-0x0000000001170000-0x000000000117E000-memory.dmp

Filesize
56KB

Download
memory/2120-16-0x00000000013B0000-0x00000000013BC000-memory.dmp

Filesize
48KB

Download
memory/2120-11-0x0000000001160000-0x000000000116A000-memory.dmp

Filesize
40KB

Download
memory/2120-10-0x0000000001150000-0x0000000001162000-memory.dmp

Filesize
72KB

Download
memory/2120-3-0x000000001B4F0000-0x000000001B61E000-memory.dmp

Filesize
1.2MB

Download
memory/2120-8-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/2120-1-0x00000000013C0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/2120-7-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/2120-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

Filesize
4KB

Download
memory/2120-6-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2120-2-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp

Filesize
9.9MB

Download
memory/2120-5-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2120-4-0x0000000000BF0000-0x0000000000C0C000-memory.dmp

Filesize
112KB

Download
memory/2280-176-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download
memory/2432-207-0x0000000000F20000-0x0000000001414000-memory.dmp

Filesize
5.0MB

Download
memory/2556-237-0x00000000012F0000-0x00000000017E4000-memory.dmp

Filesize
5.0MB

Download