dcrat | 1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8

Analysis

max time kernel
119s
max time network
111s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
Size

4.9MB
MD5

4d71c688218e5a5e1a1bbddb3d352f40
SHA1

4f862f38f95e19c1382fc029bd2521e686f652e7
SHA256

1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8
SHA512

adf5d8c4146810cdcbfba0511568ccc428e2318a29cb6741563c96b26fb51da5a6de1627984f819de8ccb7c312e32639ee5aad8f45588e016957fb6ffe9ce9d6
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2676	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2452-3-0x000000001B660000-0x000000001B78E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
760	powershell.exe
2792	powershell.exe
756	powershell.exe
2872	powershell.exe
2864	powershell.exe
2896	powershell.exe
1640	powershell.exe
1116	powershell.exe
1568	powershell.exe
1908	powershell.exe
2772	powershell.exe
2856	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1652	explorer.exe
1700	explorer.exe
1844	explorer.exe
1276	explorer.exe
1676	explorer.exe
1764	explorer.exe
888	explorer.exe
292	explorer.exe
1940	explorer.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXE9F5.tmp	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\dllhost.exe	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File created	C:\Windows\de-DE\explorer.exe	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File created	C:\Windows\Registration\WMIADAP.exe	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File created	C:\Windows\Registration\75a57c1bdf437c	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File opened for modification	C:\Windows\de-DE\RCXE784.tmp	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File opened for modification	C:\Windows\de-DE\explorer.exe	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File opened for modification	C:\Windows\Tasks\dllhost.exe	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File created	C:\Windows\Tasks\5940a34987c991	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File created	C:\Windows\de-DE\7a0fd90576e088	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File opened for modification	C:\Windows\Tasks\RCXE513.tmp	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File opened for modification	C:\Windows\Registration\RCXEBF9.tmp	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
File opened for modification	C:\Windows\Registration\WMIADAP.exe	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2552	schtasks.exe
2212	schtasks.exe
1800	schtasks.exe
2760	schtasks.exe
2660	schtasks.exe
2532	schtasks.exe
2992	schtasks.exe
1656	schtasks.exe
1244	schtasks.exe
2372	schtasks.exe
2836	schtasks.exe
2560	schtasks.exe
1672	schtasks.exe
2648	schtasks.exe
864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
2792	powershell.exe
2864	powershell.exe
1908	powershell.exe
1640	powershell.exe
760	powershell.exe
1116	powershell.exe
756	powershell.exe
2856	powershell.exe
2896	powershell.exe
1568	powershell.exe
2772	powershell.exe
2872	powershell.exe
1652	explorer.exe
1700	explorer.exe
1844	explorer.exe
1276	explorer.exe
1676	explorer.exe
1764	explorer.exe
888	explorer.exe
292	explorer.exe
1940	explorer.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1652	explorer.exe
Token: SeDebugPrivilege	1700	explorer.exe
Token: SeDebugPrivilege	1844	explorer.exe
Token: SeDebugPrivilege	1276	explorer.exe
Token: SeDebugPrivilege	1676	explorer.exe
Token: SeDebugPrivilege	1764	explorer.exe
Token: SeDebugPrivilege	888	explorer.exe
Token: SeDebugPrivilege	292	explorer.exe
Token: SeDebugPrivilege	1940	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1640	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	47
PID 2452 wrote to memory of 1640	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	47
PID 2452 wrote to memory of 1640	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	47
PID 2452 wrote to memory of 760	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	48
PID 2452 wrote to memory of 760	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	48
PID 2452 wrote to memory of 760	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	48
PID 2452 wrote to memory of 1116	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	49
PID 2452 wrote to memory of 1116	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	49
PID 2452 wrote to memory of 1116	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	49
PID 2452 wrote to memory of 2792	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	50
PID 2452 wrote to memory of 2792	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	50
PID 2452 wrote to memory of 2792	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	50
PID 2452 wrote to memory of 1568	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	51
PID 2452 wrote to memory of 1568	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	51
PID 2452 wrote to memory of 1568	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	51
PID 2452 wrote to memory of 756	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	52
PID 2452 wrote to memory of 756	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	52
PID 2452 wrote to memory of 756	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	52
PID 2452 wrote to memory of 1908	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	53
PID 2452 wrote to memory of 1908	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	53
PID 2452 wrote to memory of 1908	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	53
PID 2452 wrote to memory of 2772	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	54
PID 2452 wrote to memory of 2772	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	54
PID 2452 wrote to memory of 2772	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	54
PID 2452 wrote to memory of 2872	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	55
PID 2452 wrote to memory of 2872	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	55
PID 2452 wrote to memory of 2872	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	55
PID 2452 wrote to memory of 2864	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	56
PID 2452 wrote to memory of 2864	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	56
PID 2452 wrote to memory of 2864	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	56
PID 2452 wrote to memory of 2896	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	57
PID 2452 wrote to memory of 2896	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	57
PID 2452 wrote to memory of 2896	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	57
PID 2452 wrote to memory of 2856	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	58
PID 2452 wrote to memory of 2856	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	58
PID 2452 wrote to memory of 2856	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	58
PID 2452 wrote to memory of 1652	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	71
PID 2452 wrote to memory of 1652	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	71
PID 2452 wrote to memory of 1652	2452	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe	71
PID 1652 wrote to memory of 2572	1652	explorer.exe	72
PID 1652 wrote to memory of 2572	1652	explorer.exe	72
PID 1652 wrote to memory of 2572	1652	explorer.exe	72
PID 1652 wrote to memory of 2000	1652	explorer.exe	73
PID 1652 wrote to memory of 2000	1652	explorer.exe	73
PID 1652 wrote to memory of 2000	1652	explorer.exe	73
PID 2572 wrote to memory of 1700	2572	WScript.exe	74
PID 2572 wrote to memory of 1700	2572	WScript.exe	74
PID 2572 wrote to memory of 1700	2572	WScript.exe	74
PID 1700 wrote to memory of 560	1700	explorer.exe	75
PID 1700 wrote to memory of 560	1700	explorer.exe	75
PID 1700 wrote to memory of 560	1700	explorer.exe	75
PID 1700 wrote to memory of 344	1700	explorer.exe	76
PID 1700 wrote to memory of 344	1700	explorer.exe	76
PID 1700 wrote to memory of 344	1700	explorer.exe	76
PID 560 wrote to memory of 1844	560	WScript.exe	77
PID 560 wrote to memory of 1844	560	WScript.exe	77
PID 560 wrote to memory of 1844	560	WScript.exe	77
PID 1844 wrote to memory of 1280	1844	explorer.exe	78
PID 1844 wrote to memory of 1280	1844	explorer.exe	78
PID 1844 wrote to memory of 1280	1844	explorer.exe	78
PID 1844 wrote to memory of 2496	1844	explorer.exe	79
PID 1844 wrote to memory of 2496	1844	explorer.exe	79
PID 1844 wrote to memory of 2496	1844	explorer.exe	79
PID 1280 wrote to memory of 1276	1280	WScript.exe	80

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe
"C:\Users\Admin\AppData\Local\Temp\1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\de-DE\explorer.exe
  "C:\Windows\de-DE\explorer.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1652
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\963a849a-3e67-4b9e-849e-eb97f8e192cf.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\de-DE\explorer.exe
      C:\Windows\de-DE\explorer.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1700
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b35dbc5-272c-42ca-b22b-8b582f6acaf3.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:560
      - C:\Windows\de-DE\explorer.exe
        
        C:\Windows\de-DE\explorer.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7fe5f39-7c89-461e-b890-d851000de7c6.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\de-DE\explorer.exe
        
        C:\Windows\de-DE\explorer.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4761361d-28b2-4324-b9ce-b617e8d46d57.vbs"
        9⤵
        
        PID:2844
        
        C:\Windows\de-DE\explorer.exe
        
        C:\Windows\de-DE\explorer.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f4df617-ffe2-4eb4-aac2-08daa733ea59.vbs"
        11⤵
        
        PID:1668
        
        C:\Windows\de-DE\explorer.exe
        
        C:\Windows\de-DE\explorer.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1683173-4162-403d-aaf4-47048c82858c.vbs"
        13⤵
        
        PID:484
        
        C:\Windows\de-DE\explorer.exe
        
        C:\Windows\de-DE\explorer.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54149b04-d4e0-43d7-aeef-a8aa360e3f5f.vbs"
        15⤵
        
        PID:1792
        
        C:\Windows\de-DE\explorer.exe
        
        C:\Windows\de-DE\explorer.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f128525f-2cf7-48af-9546-2ac09faf336b.vbs"
        17⤵
        
        PID:2220
        
        C:\Windows\de-DE\explorer.exe
        
        C:\Windows\de-DE\explorer.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\407f3a78-3c9a-49e9-bbba-2d96389730ca.vbs"
        19⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0921a3d-68a3-4901-a2fc-3a38098e7063.vbs"
        19⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3d56481-34ba-4854-8246-6516d6b1386d.vbs"
        17⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b61820e6-d893-4b13-a67f-a835c68b9b4c.vbs"
        15⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c975942-3a81-44ba-983d-2bd532abf880.vbs"
        13⤵
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\349fa1c7-6398-4e3e-833d-b751da503e7f.vbs"
        11⤵
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c08750d3-e392-417c-87b1-bd6b2ed696c8.vbs"
        9⤵
        
        PID:1060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ed7477a-8d75-40d1-9c81-087700e8f61f.vbs"
        7⤵
        
        PID:2496
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b1fe19-5d75-4b47-822f-f5907798b7f7.vbs"
        5⤵
        
        PID:344
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e28d0cb-9ba9-4a36-89a3-7cd39898f5ef.vbs"
    3⤵
    PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Registration\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe

Filesize
4.9MB

MD5
4d71c688218e5a5e1a1bbddb3d352f40

SHA1
4f862f38f95e19c1382fc029bd2521e686f652e7

SHA256
1d3c9631120b0a114de42805b8758b6729e03c03f0dd40595b4a6fa3f93033a8

SHA512
adf5d8c4146810cdcbfba0511568ccc428e2318a29cb6741563c96b26fb51da5a6de1627984f819de8ccb7c312e32639ee5aad8f45588e016957fb6ffe9ce9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e28d0cb-9ba9-4a36-89a3-7cd39898f5ef.vbs

Filesize
481B

MD5
f64c3b562cf6723e6917c10f75163967

SHA1
09687a0148da717b97dd1bbbb4c42e4b5219e57a

SHA256
7b7b218e22f37f0587b2e416be7c5a68f09fb5433da7d38c05171407b6ba70f0

SHA512
50e54a56518651d06824b66b815217de114c6f87d8d5d35940220cb84b160f07ae3f0fd1863f01729554eef11bcc84c39af8cc54e17df343ca6e8f5168477323

Download Submit
C:\Users\Admin\AppData\Local\Temp\407f3a78-3c9a-49e9-bbba-2d96389730ca.vbs

Filesize
705B

MD5
f84a606155739244d39ca523b3d3709b

SHA1
0395233eed8e673b6ae4bb2ad39d0282086f791f

SHA256
13cd0fa34b87f92976adb4e2c62a8f65de1c115906ad38ba0e03814a6f01bff1

SHA512
b145e4576667afa9552c8d3101206d439ab460a70ac983af228795e84f7ee7ff2ad7eacddf05d53d2067e8be646d05fd793c103dd12f123935ea9e2ba5fedb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4761361d-28b2-4324-b9ce-b617e8d46d57.vbs

Filesize
705B

MD5
59ff0528e691f3f6b3ebc820e9c74e4e

SHA1
13581fe5b4cc7175797c3c4fb8355688d80cac40

SHA256
92f6305a844bca86af74dc2a6780e44050e79de1bcee9be14f15d11c1e4d3278

SHA512
ab2448d8b7be020db7a33a97002c2db3f629faaa454d5ed5dc2c65814f4e50093fc0de60336f4750fb72a72e44172f76a063dc62f8e0d8f6529f4da5e9af1c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\54149b04-d4e0-43d7-aeef-a8aa360e3f5f.vbs

Filesize
704B

MD5
cab4eba1fb64ce6697ac5359fa2a4af9

SHA1
a6261dc1ff338ae6a9649035e0085b845e2fd3c8

SHA256
32ab44e66872359f72c9bbb06c2d215a7748a1d57eec191cb653768f82363d8c

SHA512
55f967f6bfdcd3de4f9f7ef82e5b08bb0402f41431d3f287c8c233243db1b75ad693066542761109d5f2f111bb440368db9f25dd967f7cb01f0efe9dc059cc4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f4df617-ffe2-4eb4-aac2-08daa733ea59.vbs

Filesize
705B

MD5
49a048b62f61448a46125831275f6fb4

SHA1
4c995bede8324e6b4c975ebb985230adf714f500

SHA256
54e4b6c7be244284af5e1e0832d126118d8b74048ff607e3070f9ee1259c18ec

SHA512
fe39410541fe424da2fd9bb7428afaa9c61b5945bbada6a969ca1cf2757d9df22dfbd08cb72b50c4ba9cf0f95947f11c38fad702554c111855b68c59bd8d4e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\963a849a-3e67-4b9e-849e-eb97f8e192cf.vbs

Filesize
705B

MD5
245623069d0b904854593582f96f2d7c

SHA1
abcb6800df9688223c93e2eed7c2dc2367afb679

SHA256
593f6f0800339424075cf9e175dece38715eab69ae6b443230b2d069ce895fb6

SHA512
1c8ac47d48db50e30e2e46f60c914af432eeec8520a683a5bb1c8aa25d9ac2eeb74af97265c0b444621dc8ca5da70e9d73c62e1222b000cfb26ebe47d42b2233

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b35dbc5-272c-42ca-b22b-8b582f6acaf3.vbs

Filesize
705B

MD5
d269b55fea0c12bf895b6f6151705e56

SHA1
a580c5a2568648585c1209f2813f53c38e0fc1fd

SHA256
8af10e990de8b39c8073cef671708d539984c46927a7b80c340c30ade97791c5

SHA512
5368b7b361322613934b18ebeac14ad46305261a3c1fc69e91505184b5eef61e5ddc708695ebdfe2563679edeec9e7e35cbdb1a586b584eee9807741d36a8044

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1683173-4162-403d-aaf4-47048c82858c.vbs

Filesize
705B

MD5
cde3f7229d8a2c3a73d91dfb3ae5577d

SHA1
ba1b2812762f1671d21cc4dfd7ba5caf471566d5

SHA256
ab6cca5d355bd41fc39213fd0cc9d086fae02262b625dad86f54b28309e4fa57

SHA512
0f6b57b9519d05c9904ca6214120f605375b199a8a04a90842842affe34854f8b4ed4a1c12db222fabdf60255f93505e5a5daf9d6ef05f568653cc521beace64

Download Submit
C:\Users\Admin\AppData\Local\Temp\f128525f-2cf7-48af-9546-2ac09faf336b.vbs

Filesize
704B

MD5
71cfba15df70ed30b8b4d2dcf617515f

SHA1
ad3d036d474522e097ff7d84a2bdb9dd5fdd3c79

SHA256
e719716e55cbf88cf7fa8fb795b6d0cdb98a99ba11c7d66b48e4f3b6f4c0a8ba

SHA512
c3df598c685e1b52d0612392c9878ecf83b0bb86afff6c490e78ca730235cfd868361e4372a03a2e79263b1b0bbfdf6f5454d75a6d66666a36540bcfb6f2b704

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7fe5f39-7c89-461e-b890-d851000de7c6.vbs

Filesize
705B

MD5
f05a6c8229a221680ed5b00196f84d2a

SHA1
a73017f2f9bfbbf0510db096bab99e70c58daed1

SHA256
a00ef53950ad57cc95cc71410cd6b95cefe572e68f1004e7a9f6288563b417c6

SHA512
879c6bb1f5513ea8e1a3415011508394f5f2056a4ae876403884ca82366b89dcb2f4f3088eee504eaf2d68852ac50cf4cbdc4e0affc5c291de45f67583f97396

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CB.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
419aea050cc3bba32894c85e0d299584

SHA1
12648c3358423778500454e3f804de07ae096514

SHA256
727c510fc1d355be1ae5b1d8799ced7def4eb137ff442421d450466da6ca41f8

SHA512
92a29985b7ae0f0a24789307ec4240e72f54fb13098359e01c91516c86e28fb64b1b1941c165341a06aa02bd9f3815c49455eef58d8017645912d4410b16b1a4

Download Submit
C:\Windows\de-DE\explorer.exe

Filesize
4.9MB

MD5
b8078eda2902f5185e4b36ed1bdd4492

SHA1
11248d6f2099da23d8fc2fe80a1ca9c4bf80dab5

SHA256
7f0ce2bd548d29b1fa8550ca1019c4e2bc767022b011fbce89f4838dde09381b

SHA512
ef080fe53ccae8c828ac0a0dcc8d25de5a092037fd8663656bfdaed532d03fe8842f48d0b669bc936c1ce9f8cc7df2ee806dbfccdf9761e4ae9c9ac78b3fb1a3

Download Submit
memory/292-233-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download
memory/1276-175-0x0000000000E40000-0x0000000001334000-memory.dmp

Filesize
5.0MB

Download
memory/1640-91-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1652-119-0x0000000000C10000-0x0000000001104000-memory.dmp

Filesize
5.0MB

Download
memory/1700-145-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/1700-144-0x0000000000DE0000-0x00000000012D4000-memory.dmp

Filesize
5.0MB

Download
memory/1764-204-0x0000000001060000-0x0000000001554000-memory.dmp

Filesize
5.0MB

Download
memory/1844-160-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download
memory/1940-248-0x0000000000160000-0x0000000000654000-memory.dmp

Filesize
5.0MB

Download
memory/1940-249-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2452-9-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/2452-8-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2452-14-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2452-13-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/2452-12-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/2452-11-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2452-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/2452-10-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2452-1-0x00000000011A0000-0x0000000001694000-memory.dmp

Filesize
5.0MB

Download
memory/2452-15-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/2452-7-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2452-6-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2452-5-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2452-4-0x00000000002A0000-0x00000000002BC000-memory.dmp

Filesize
112KB

Download
memory/2452-3-0x000000001B660000-0x000000001B78E000-memory.dmp

Filesize
1.2MB

Download
memory/2452-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2452-16-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2452-130-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2792-92-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download