dcrat | 02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-09-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
Size

4.9MB
MD5

9f28672d5f9616c0ba11631392dbf180
SHA1

fdfb05bd604067b16bdf10aa0e98530424ab0b0d
SHA256

02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666
SHA512

bfa229a6c0aea13eb148f2f78b5de7cd1d035b474c1508c4c9bfe12739dc0006052a2f7d441bb0ea2760b02db170bb55a2090760e5c3869f608137a1982cce9b
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2736	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2736	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1924-3-0x000000001B570000-0x000000001B69E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
840	powershell.exe
2164	powershell.exe
2668	powershell.exe
2112	powershell.exe
3032	powershell.exe
1636	powershell.exe
2304	powershell.exe
2320	powershell.exe
2152	powershell.exe
2596	powershell.exe
2504	powershell.exe
3036	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2784	explorer.exe
380	explorer.exe
2704	explorer.exe
2320	explorer.exe
1524	explorer.exe
2960	explorer.exe
2124	explorer.exe
584	explorer.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\5940a34987c991	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File created	C:\Program Files\Windows Portable Devices\lsass.exe	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File created	C:\Program Files\Uninstall Information\explorer.exe	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\taskhost.exe	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File created	C:\Program Files\Uninstall Information\7a0fd90576e088	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXBB46.tmp	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXBDB7.tmp	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\taskhost.exe	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXB932.tmp	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsass.exe	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\RCXC029.tmp	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\b75386f1303e64	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File opened for modification	C:\Program Files\Uninstall Information\explorer.exe	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC22D.tmp	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe
2784	schtasks.exe
2760	schtasks.exe
2892	schtasks.exe
2888	schtasks.exe
2632	schtasks.exe
1904	schtasks.exe
580	schtasks.exe
2744	schtasks.exe
1296	schtasks.exe
2680	schtasks.exe
1788	schtasks.exe
2940	schtasks.exe
2840	schtasks.exe
2652	schtasks.exe
2740	schtasks.exe
2624	schtasks.exe
1112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
2152	powershell.exe
2320	powershell.exe
2504	powershell.exe
3036	powershell.exe
2112	powershell.exe
2164	powershell.exe
1636	powershell.exe
2668	powershell.exe
840	powershell.exe
2304	powershell.exe
2596	powershell.exe
3032	powershell.exe
2784	explorer.exe
380	explorer.exe
2704	explorer.exe
2320	explorer.exe
1524	explorer.exe
2960	explorer.exe
2124	explorer.exe
584	explorer.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2784	explorer.exe
Token: SeDebugPrivilege	380	explorer.exe
Token: SeDebugPrivilege	2704	explorer.exe
Token: SeDebugPrivilege	2320	explorer.exe
Token: SeDebugPrivilege	1524	explorer.exe
Token: SeDebugPrivilege	2960	explorer.exe
Token: SeDebugPrivilege	2124	explorer.exe
Token: SeDebugPrivilege	584	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3036	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	49
PID 1924 wrote to memory of 3036	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	49
PID 1924 wrote to memory of 3036	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	49
PID 1924 wrote to memory of 3032	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	50
PID 1924 wrote to memory of 3032	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	50
PID 1924 wrote to memory of 3032	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	50
PID 1924 wrote to memory of 2668	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	51
PID 1924 wrote to memory of 2668	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	51
PID 1924 wrote to memory of 2668	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	51
PID 1924 wrote to memory of 2504	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	52
PID 1924 wrote to memory of 2504	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	52
PID 1924 wrote to memory of 2504	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	52
PID 1924 wrote to memory of 2164	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	53
PID 1924 wrote to memory of 2164	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	53
PID 1924 wrote to memory of 2164	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	53
PID 1924 wrote to memory of 2596	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	54
PID 1924 wrote to memory of 2596	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	54
PID 1924 wrote to memory of 2596	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	54
PID 1924 wrote to memory of 2152	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	55
PID 1924 wrote to memory of 2152	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	55
PID 1924 wrote to memory of 2152	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	55
PID 1924 wrote to memory of 840	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	59
PID 1924 wrote to memory of 840	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	59
PID 1924 wrote to memory of 840	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	59
PID 1924 wrote to memory of 2112	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	60
PID 1924 wrote to memory of 2112	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	60
PID 1924 wrote to memory of 2112	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	60
PID 1924 wrote to memory of 2320	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	61
PID 1924 wrote to memory of 2320	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	61
PID 1924 wrote to memory of 2320	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	61
PID 1924 wrote to memory of 2304	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	62
PID 1924 wrote to memory of 2304	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	62
PID 1924 wrote to memory of 2304	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	62
PID 1924 wrote to memory of 1636	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	63
PID 1924 wrote to memory of 1636	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	63
PID 1924 wrote to memory of 1636	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	63
PID 1924 wrote to memory of 2860	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	73
PID 1924 wrote to memory of 2860	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	73
PID 1924 wrote to memory of 2860	1924	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe	73
PID 2860 wrote to memory of 2056	2860	cmd.exe	75
PID 2860 wrote to memory of 2056	2860	cmd.exe	75
PID 2860 wrote to memory of 2056	2860	cmd.exe	75
PID 2860 wrote to memory of 2784	2860	cmd.exe	77
PID 2860 wrote to memory of 2784	2860	cmd.exe	77
PID 2860 wrote to memory of 2784	2860	cmd.exe	77
PID 2784 wrote to memory of 1580	2784	explorer.exe	78
PID 2784 wrote to memory of 1580	2784	explorer.exe	78
PID 2784 wrote to memory of 1580	2784	explorer.exe	78
PID 2784 wrote to memory of 836	2784	explorer.exe	79
PID 2784 wrote to memory of 836	2784	explorer.exe	79
PID 2784 wrote to memory of 836	2784	explorer.exe	79
PID 1580 wrote to memory of 380	1580	WScript.exe	80
PID 1580 wrote to memory of 380	1580	WScript.exe	80
PID 1580 wrote to memory of 380	1580	WScript.exe	80
PID 380 wrote to memory of 1592	380	explorer.exe	81
PID 380 wrote to memory of 1592	380	explorer.exe	81
PID 380 wrote to memory of 1592	380	explorer.exe	81
PID 380 wrote to memory of 624	380	explorer.exe	82
PID 380 wrote to memory of 624	380	explorer.exe	82
PID 380 wrote to memory of 624	380	explorer.exe	82
PID 1592 wrote to memory of 2704	1592	WScript.exe	83
PID 1592 wrote to memory of 2704	1592	WScript.exe	83
PID 1592 wrote to memory of 2704	1592	WScript.exe	83
PID 2704 wrote to memory of 1204	2704	explorer.exe	84

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe
"C:\Users\Admin\AppData\Local\Temp\02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8BjaCEHPbN.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2056
- - C:\Program Files\Uninstall Information\explorer.exe
    "C:\Program Files\Uninstall Information\explorer.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2784
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\123dcc14-5af5-44e0-a11d-b0f90328aff6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Program Files\Uninstall Information\explorer.exe
        
        "C:\Program Files\Uninstall Information\explorer.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:380
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f26018f-15f9-4387-ad58-93dda4d46362.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Program Files\Uninstall Information\explorer.exe
        
        "C:\Program Files\Uninstall Information\explorer.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51438771-1ab4-4eee-870b-c829f569c405.vbs"
        8⤵
        
        PID:1204
        
        C:\Program Files\Uninstall Information\explorer.exe
        
        "C:\Program Files\Uninstall Information\explorer.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46bae774-abd0-4585-a0c0-325b87cbbde6.vbs"
        10⤵
        
        PID:2396
        
        C:\Program Files\Uninstall Information\explorer.exe
        
        "C:\Program Files\Uninstall Information\explorer.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9affada9-07b2-42b9-9706-80eed5ab76dd.vbs"
        12⤵
        
        PID:2392
        
        C:\Program Files\Uninstall Information\explorer.exe
        
        "C:\Program Files\Uninstall Information\explorer.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1b5f0e8-0ebd-4f96-bd26-58edd88831ae.vbs"
        14⤵
        
        PID:2936
        
        C:\Program Files\Uninstall Information\explorer.exe
        
        "C:\Program Files\Uninstall Information\explorer.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\410d8ca3-a15f-43b8-9d73-26b37eb594db.vbs"
        16⤵
        
        PID:956
        
        C:\Program Files\Uninstall Information\explorer.exe
        
        "C:\Program Files\Uninstall Information\explorer.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c69fbaa3-28ce-4767-a18f-15b19cb1c47d.vbs"
        18⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d89b43de-d095-46ad-8287-da8040b79c6c.vbs"
        18⤵
        
        PID:2520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0cdd691-efcf-4457-b037-f92197f7aa24.vbs"
        16⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e3239a8-b1ce-4d30-bfa4-e562afb842e3.vbs"
        14⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e87868ff-bf08-498e-b4a6-514efabc4f1f.vbs"
        12⤵
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e5fbea8-0ef4-41f6-812e-7eaa0d1c80df.vbs"
        10⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d89de93-2e6d-40e8-82d3-33f2c5aeb1e7.vbs"
        8⤵
        
        PID:556
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d1c5b4a-ed50-45a7-9353-e675970451f0.vbs"
        6⤵
        
        PID:624
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9d2d56a-fa79-4e9a-a17b-dea81345a763.vbs"
      4⤵
      PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
4.9MB

MD5
0eb1e861901e71b64c36de32e1914b5e

SHA1
bd2478455ae5727c65ff70e6685d71f87f60991b

SHA256
dacd21b9e8e682b862a6bf83091616167ef2be740d5f4e83b6fe1395b8e72aa4

SHA512
50062126fa38afec7c45b3ba4ed618b1767547fb6858869e79d0b287aae299a67b655f29956b38cf20b283bd3abfbfab1e18b1dcabb90fad0c06158f4422106b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe

Filesize
4.9MB

MD5
9f28672d5f9616c0ba11631392dbf180

SHA1
fdfb05bd604067b16bdf10aa0e98530424ab0b0d

SHA256
02db784841b1c18c43464317ddaf9221406cb45883305516f886113f79977666

SHA512
bfa229a6c0aea13eb148f2f78b5de7cd1d035b474c1508c4c9bfe12739dc0006052a2f7d441bb0ea2760b02db170bb55a2090760e5c3869f608137a1982cce9b

Download Submit
C:\Program Files\Uninstall Information\explorer.exe

Filesize
4.9MB

MD5
5ca0c75a611ad93960873005d82bae17

SHA1
ac0218d81d4f9d17fae11b0226ed740394c20042

SHA256
956267b9cd938826f27bdb709ad378a4bcea40897fc01c24e3e7520a284e10c7

SHA512
6544e31bf1d977793ca9b0cd773e969c8d24747655da6ec1e3f11946a58fb7d244492c5ff4ff9d700d9f381f1756a66e6be514864b711262e6d6120e42d9216e

Download Submit
C:\Users\Admin\AppData\Local\Temp\123dcc14-5af5-44e0-a11d-b0f90328aff6.vbs

Filesize
727B

MD5
b7fc77bf1e76df820a91bbd2a290affd

SHA1
0b8c3f593043a228b56ee150a9c51a384904d5e5

SHA256
cd6efa03a03dfc3998ee029703b4890c6410446a96b279db086e109ddc5bbd07

SHA512
cad2b61ff377da2670096c5bb776deb2b30c70a94d35cf807d6908c2a4a572710d835afbe4e0c19d61454732a9a6c2cd82ce288a48f1aa2bbd79f0d1719c0301

Download Submit
C:\Users\Admin\AppData\Local\Temp\410d8ca3-a15f-43b8-9d73-26b37eb594db.vbs

Filesize
727B

MD5
e28017fcae20f00b5b680538f70b1847

SHA1
0c56c6f1ecd27a4a871e8897a499c2604c04d9d2

SHA256
cc3874a225a598c3eefd251132dc5f27d0c8f94af7939ee913124051b5ec4048

SHA512
77822a30f2a334fe4a36bddfebd45b1b7f6d94cb9750c06988104cc9b36225bad63fb7ae2957576d87ef03af3fa19c45af5b95cd5dd9ac623ff8f51657721a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\46bae774-abd0-4585-a0c0-325b87cbbde6.vbs

Filesize
727B

MD5
c4db93fe270a32329156f6625e4b3ffa

SHA1
e65512f686627f9a33ef54a39a7d65e7bf56631d

SHA256
d9c26ccba4fa9cabe2b059e79d5ab3902f8183b969b36bcb8721b0e00023637e

SHA512
0cea8eeab2e98e5ba998382103f165a6970b9c36ffda28b8a6c30f91fc29cb2fa4537a42152091638e0e3c02cee6ae5dd57f666e486723486f13e0465b54f617

Download Submit
C:\Users\Admin\AppData\Local\Temp\51438771-1ab4-4eee-870b-c829f569c405.vbs

Filesize
727B

MD5
69c3d4f88f7cdf138940786d26c36b7d

SHA1
8ba3fe8843aa39a566e4b64dbb08d3b79c8887cd

SHA256
4380c687669e72d9f209d187cea38f6862304b95aa9c4bb3cff1e5c49a58ed9c

SHA512
b9171b20d8269796500473cd2b656e62eae652334cd98b631ac97a4a4d7aee6792804f268ad7f03b1a3203aa174f89694d7d32ba12bdb7efe8a1ead11c0f7edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f26018f-15f9-4387-ad58-93dda4d46362.vbs

Filesize
726B

MD5
ec0ff965a7161acf2d4c1f9be5805533

SHA1
d07bbe973622bcc6131baf794be67a50f8de9af4

SHA256
aa49796d389afc86cf96d5e9d13aa74b958641e8b4008e847f51c90bc4cf18a0

SHA512
9e229250daa9b1d124898225e64292e3b0c6d0ff5c4756d892779e58684bc77ef6b0f315cf3f5a3489f586b2ef7609701ba76f3292ebfb77d0a8f4ff2bff901e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BjaCEHPbN.bat

Filesize
216B

MD5
81df4b30d8326b486ac59380ce928550

SHA1
bfce6a8c46471cdb3271c1636ed722e68842b2ec

SHA256
a84991f22d25f60b52ce86f577a77cc350c30e0cb185f47871144b1e38e28420

SHA512
80ef218b19826dce90333c2ef432eb270122e7d61d8ad6adbd9e6dd88544e6b1859271baa9282a1288fd78bc526be3e7c584919e1428f1949b951b05adb3b8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\9affada9-07b2-42b9-9706-80eed5ab76dd.vbs

Filesize
727B

MD5
6c82ef21f0361ad01191c73a015b09ab

SHA1
ef27d58e4751c5270297f80703ee1839fb84ec60

SHA256
febff281c7ee131a0ea369a6ca5a724d9cf12924cdb42512dbcc74f182fe781e

SHA512
e83d3de8314caaa4e5459a921d3ac3e5c1b4f41ab5492939fd481e906067eb5b67d0f0929034a3282b6f9fcf805cb9ffb65952086e07be1415a78334dbd15610

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9d2d56a-fa79-4e9a-a17b-dea81345a763.vbs

Filesize
503B

MD5
f6ca186c438071008aadf4343e3c1d39

SHA1
641b7941a14170130ec1141d495c31b6b88d4273

SHA256
43b0b7f4e45bdfe1f214ec479811d6daddd8815b5d220923cb9c7244c5287ead

SHA512
edf924d21ec15506a778e2a46231b777497260f005c5380859a92ef05dd86532e4259e824785151c08219ac883b329420950ca4dd5c04de2164d2b31b9db092f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c69fbaa3-28ce-4767-a18f-15b19cb1c47d.vbs

Filesize
726B

MD5
70f9ba35ac6d0a08ae4dd5ac877ca800

SHA1
97cf161958570cf82d20d25d134b4b5593ede210

SHA256
bd3623414f4a54745e692993dcd312d7bd899f09bff320551408f12bc55e8c79

SHA512
41a9c61263421ce6639ca89b9349a8f4bb07bf6caf706e8683f824f96e7c40d60650cf0dcf2cd67dedd475ec500b0f21c322026aeef91620dfb00813028c6d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1b5f0e8-0ebd-4f96-bd26-58edd88831ae.vbs

Filesize
727B

MD5
b312e3533fff0350087630524daf1040

SHA1
68d8ac4d6c77466c16db9372081e545a86085fdc

SHA256
6e6b6001f1370d0889b18a7e3293ff41071b05b9981e3a6ea8c62b44b2c52c08

SHA512
7f762a3c215e2b1f7f516858bdf7f767e49523bcc50ce5b03c4e7e094320233c6f57c5f95157bfac5baedf92075efbc0b5a0633d63b690d2bd6f253f2f7eb739

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB97.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
70ebfd6cf726b3d6c3116df63e4f2091

SHA1
9662f13cc51cce47411bd96978aff71662c662bf

SHA256
13dc778370e71f6477dcac640432c9b218f9cc741bcd802a0c1a9136c24db3a2

SHA512
7596825f6912430287a44d1d3c24b07e9bd13cea69321bf41163742b53953f556aa59bb25ff01a46af6bf1832a81007b323fcbf49eb00c985e7c11316ee012a0

Download Submit
memory/380-158-0x0000000000120000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/584-248-0x0000000000F70000-0x0000000001464000-memory.dmp

Filesize
5.0MB

Download
memory/1524-203-0x0000000000C10000-0x0000000001104000-memory.dmp

Filesize
5.0MB

Download
memory/1924-10-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/1924-3-0x000000001B570000-0x000000001B69E000-memory.dmp

Filesize
1.2MB

Download
memory/1924-11-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/1924-15-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/1924-0-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

Filesize
4KB

Download
memory/1924-139-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-14-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/1924-1-0x0000000001380000-0x0000000001874000-memory.dmp

Filesize
5.0MB

Download
memory/1924-13-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/1924-9-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1924-4-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/1924-2-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/1924-12-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/1924-16-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/1924-8-0x0000000000B20000-0x0000000000B30000-memory.dmp

Filesize
64KB

Download
memory/1924-5-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/1924-7-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/1924-6-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2124-232-0x0000000000D10000-0x0000000001204000-memory.dmp

Filesize
5.0MB

Download
memory/2124-233-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2152-87-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2152-107-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2320-188-0x0000000000180000-0x0000000000674000-memory.dmp

Filesize
5.0MB

Download
memory/2704-173-0x0000000001290000-0x0000000001784000-memory.dmp

Filesize
5.0MB

Download
memory/2784-144-0x00000000013B0000-0x00000000018A4000-memory.dmp

Filesize
5.0MB

Download