dcrat | 9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Size

4.9MB
MD5

f32026ab859baf87e56f628b87ec52a0
SHA1

926a579598eb4364b9cd10a036a294809fd3cb16
SHA256

9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975
SHA512

69995e9225f48252f83d3b047cc665beaefc7761e6179e83165aaf21ca941829929b1cd1cdef9a9424ceeb60bf8eb54130a1472cbc55b1a2ac65a31a32278b6c
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2472	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2472	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2472	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2472	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2472	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2472	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1452-3-0x000000001B640000-0x000000001B76E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2608	powershell.exe
2632	powershell.exe
2404	powershell.exe
2908	powershell.exe
1832	powershell.exe
2880	powershell.exe
2100	powershell.exe
2656	powershell.exe
2156	powershell.exe
1524	powershell.exe
2164	powershell.exe
2476	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2216	taskhost.exe
2992	taskhost.exe
1380	taskhost.exe
2404	taskhost.exe
1144	taskhost.exe
1248	taskhost.exe
2244	taskhost.exe
1796	taskhost.exe
2956	taskhost.exe
1964	taskhost.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\taskhost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\taskhost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\VideoLAN\VLC\b75386f1303e64	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXA258.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2848	schtasks.exe
2748	schtasks.exe
2776	schtasks.exe
2708	schtasks.exe
2784	schtasks.exe
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
2608	powershell.exe
2100	powershell.exe
1832	powershell.exe
2632	powershell.exe
1524	powershell.exe
2404	powershell.exe
2164	powershell.exe
2880	powershell.exe
2156	powershell.exe
2908	powershell.exe
2476	powershell.exe
2656	powershell.exe
2216	taskhost.exe
2992	taskhost.exe
1380	taskhost.exe
2404	taskhost.exe
1144	taskhost.exe
1248	taskhost.exe
2244	taskhost.exe
1796	taskhost.exe
2956	taskhost.exe
1964	taskhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2216	taskhost.exe
Token: SeDebugPrivilege	2992	taskhost.exe
Token: SeDebugPrivilege	1380	taskhost.exe
Token: SeDebugPrivilege	2404	taskhost.exe
Token: SeDebugPrivilege	1144	taskhost.exe
Token: SeDebugPrivilege	1248	taskhost.exe
Token: SeDebugPrivilege	2244	taskhost.exe
Token: SeDebugPrivilege	1796	taskhost.exe
Token: SeDebugPrivilege	2956	taskhost.exe
Token: SeDebugPrivilege	1964	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2608	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	37
PID 1452 wrote to memory of 2608	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	37
PID 1452 wrote to memory of 2608	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	37
PID 1452 wrote to memory of 2632	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	38
PID 1452 wrote to memory of 2632	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	38
PID 1452 wrote to memory of 2632	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	38
PID 1452 wrote to memory of 2656	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	39
PID 1452 wrote to memory of 2656	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	39
PID 1452 wrote to memory of 2656	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	39
PID 1452 wrote to memory of 2404	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	41
PID 1452 wrote to memory of 2404	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	41
PID 1452 wrote to memory of 2404	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	41
PID 1452 wrote to memory of 2156	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	43
PID 1452 wrote to memory of 2156	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	43
PID 1452 wrote to memory of 2156	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	43
PID 1452 wrote to memory of 2476	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	45
PID 1452 wrote to memory of 2476	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	45
PID 1452 wrote to memory of 2476	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	45
PID 1452 wrote to memory of 2100	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	46
PID 1452 wrote to memory of 2100	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	46
PID 1452 wrote to memory of 2100	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	46
PID 1452 wrote to memory of 2164	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	47
PID 1452 wrote to memory of 2164	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	47
PID 1452 wrote to memory of 2164	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	47
PID 1452 wrote to memory of 1524	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	48
PID 1452 wrote to memory of 1524	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	48
PID 1452 wrote to memory of 1524	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	48
PID 1452 wrote to memory of 2880	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	49
PID 1452 wrote to memory of 2880	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	49
PID 1452 wrote to memory of 2880	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	49
PID 1452 wrote to memory of 1832	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	50
PID 1452 wrote to memory of 1832	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	50
PID 1452 wrote to memory of 1832	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	50
PID 1452 wrote to memory of 2908	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	51
PID 1452 wrote to memory of 2908	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	51
PID 1452 wrote to memory of 2908	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	51
PID 1452 wrote to memory of 1516	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	59
PID 1452 wrote to memory of 1516	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	59
PID 1452 wrote to memory of 1516	1452	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	59
PID 1516 wrote to memory of 1268	1516	cmd.exe	63
PID 1516 wrote to memory of 1268	1516	cmd.exe	63
PID 1516 wrote to memory of 1268	1516	cmd.exe	63
PID 1516 wrote to memory of 2216	1516	cmd.exe	64
PID 1516 wrote to memory of 2216	1516	cmd.exe	64
PID 1516 wrote to memory of 2216	1516	cmd.exe	64
PID 2216 wrote to memory of 2824	2216	taskhost.exe	65
PID 2216 wrote to memory of 2824	2216	taskhost.exe	65
PID 2216 wrote to memory of 2824	2216	taskhost.exe	65
PID 2216 wrote to memory of 2716	2216	taskhost.exe	66
PID 2216 wrote to memory of 2716	2216	taskhost.exe	66
PID 2216 wrote to memory of 2716	2216	taskhost.exe	66
PID 2824 wrote to memory of 2992	2824	WScript.exe	68
PID 2824 wrote to memory of 2992	2824	WScript.exe	68
PID 2824 wrote to memory of 2992	2824	WScript.exe	68
PID 2992 wrote to memory of 2064	2992	taskhost.exe	69
PID 2992 wrote to memory of 2064	2992	taskhost.exe	69
PID 2992 wrote to memory of 2064	2992	taskhost.exe	69
PID 2992 wrote to memory of 912	2992	taskhost.exe	70
PID 2992 wrote to memory of 912	2992	taskhost.exe	70
PID 2992 wrote to memory of 912	2992	taskhost.exe	70
PID 2064 wrote to memory of 1380	2064	WScript.exe	71
PID 2064 wrote to memory of 1380	2064	WScript.exe	71
PID 2064 wrote to memory of 1380	2064	WScript.exe	71
PID 1380 wrote to memory of 1376	1380	taskhost.exe	72

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
"C:\Users\Admin\AppData\Local\Temp\9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\omibxcOtOT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1268
- - C:\Program Files\VideoLAN\VLC\taskhost.exe
    "C:\Program Files\VideoLAN\VLC\taskhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2216
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f62680f-65b6-4ba6-8c6b-61f072c6a8f4.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Program Files\VideoLAN\VLC\taskhost.exe
        
        "C:\Program Files\VideoLAN\VLC\taskhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2992
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21bff0b9-2644-4d45-82aa-ebc684e80383.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Program Files\VideoLAN\VLC\taskhost.exe
        
        "C:\Program Files\VideoLAN\VLC\taskhost.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa81074c-68da-439a-8de4-e9f0776d7106.vbs"
        8⤵
        
        PID:1376
        
        C:\Program Files\VideoLAN\VLC\taskhost.exe
        
        "C:\Program Files\VideoLAN\VLC\taskhost.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c192a37b-33b6-4460-a3ad-b79ff62a4cf0.vbs"
        10⤵
        
        PID:1664
        
        C:\Program Files\VideoLAN\VLC\taskhost.exe
        
        "C:\Program Files\VideoLAN\VLC\taskhost.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1d15bba-6646-4c69-936b-dcea510eea10.vbs"
        12⤵
        
        PID:2736
        
        C:\Program Files\VideoLAN\VLC\taskhost.exe
        
        "C:\Program Files\VideoLAN\VLC\taskhost.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bbe6a2e-5a35-45e8-b13a-ff3e94632471.vbs"
        14⤵
        
        PID:776
        
        C:\Program Files\VideoLAN\VLC\taskhost.exe
        
        "C:\Program Files\VideoLAN\VLC\taskhost.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4936345-722e-4a56-a7cb-e6e2277456ce.vbs"
        16⤵
        
        PID:2916
        
        C:\Program Files\VideoLAN\VLC\taskhost.exe
        
        "C:\Program Files\VideoLAN\VLC\taskhost.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef21551f-260e-4f4e-93a8-f2efdd11db0e.vbs"
        18⤵
        
        PID:2160
        
        C:\Program Files\VideoLAN\VLC\taskhost.exe
        
        "C:\Program Files\VideoLAN\VLC\taskhost.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2aa14c98-727a-44e1-916b-ea1f6b792870.vbs"
        20⤵
        
        PID:2528
        
        C:\Program Files\VideoLAN\VLC\taskhost.exe
        
        "C:\Program Files\VideoLAN\VLC\taskhost.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\451ec444-0889-47e4-b89f-4e9d87625ed8.vbs"
        22⤵
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edad555a-1eb8-4088-b00d-b85bafd922ff.vbs"
        22⤵
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\121ed029-3b46-4607-8e97-28a84e0b56b6.vbs"
        20⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a75054e6-832c-4d4b-9fb2-85ff91ab3e2a.vbs"
        18⤵
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c9f249f-4561-4c33-8c97-ec1116988c7a.vbs"
        16⤵
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fb9eb38-ee9c-49b2-b971-e2e6fd0e0c4b.vbs"
        14⤵
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efba3775-7784-4532-9de1-c3b143b248a8.vbs"
        12⤵
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe8647eb-7d6c-489b-89dc-3089a7d19df4.vbs"
        10⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4e81892-8c8e-4786-b249-3c1b1f88b5ef.vbs"
        8⤵
        
        PID:2120
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21360172-5387-4d3a-ba10-ab2756e9de10.vbs"
        6⤵
        
        PID:912
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0fa3a56-d9f8-4b8d-b396-e7f6f5d25232.vbs"
      4⤵
      PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VideoLAN\VLC\taskhost.exe

Filesize
4.9MB

MD5
f32026ab859baf87e56f628b87ec52a0

SHA1
926a579598eb4364b9cd10a036a294809fd3cb16

SHA256
9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975

SHA512
69995e9225f48252f83d3b047cc665beaefc7761e6179e83165aaf21ca941829929b1cd1cdef9a9424ceeb60bf8eb54130a1472cbc55b1a2ac65a31a32278b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\21bff0b9-2644-4d45-82aa-ebc684e80383.vbs

Filesize
718B

MD5
d3f01f05f3d6ce0a0cb55a84c1ff6291

SHA1
bab8225a210d831eafe5cff45fa8fe992e1cc1dc

SHA256
fbfc06503f4b02da971f1789569734f758ceb1e06327b25f6d0bd31d35713465

SHA512
6238393061a3e21e4e393b9d2be4b8d2cc86a4e6152cc4e41162d0ab1875286a0061599ca69bdac0a9f7fa6052c8c33355e34b8a0ab2123e98c797e3897c7cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aa14c98-727a-44e1-916b-ea1f6b792870.vbs

Filesize
718B

MD5
e65fb272261ce87eecc7ec65154a44fb

SHA1
b818be0dd6127de554bbb61720c6e105bd3484b7

SHA256
4211e118b8ca896d0349be5be12233d78127c49e9743329cc7d8f147baa9e912

SHA512
494237f0ffa8b071e2441a6bd78aaf158f0ca00436028bdb9f194998113bcbccec404d3da1a7fe047d8e8e8d96d0f2ff91282ca720aad723d5f6357106696180

Download Submit
C:\Users\Admin\AppData\Local\Temp\451ec444-0889-47e4-b89f-4e9d87625ed8.vbs

Filesize
718B

MD5
6ca5121365c178c23b834db0e391ec75

SHA1
87707eb83417152f5ac839b2da4dacd6661a1699

SHA256
554ad51d69f412bc029e053cb5400877755778e436da4fb4bc6a5eace34610a0

SHA512
3b2aa7a934992fb03ceff1b71b4f598c0b83d526571d94e89825f1fecef8d79f13b644f93fbbb9e09db3382730b5b5f747642bc547e157f09daf708d33dbbb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f62680f-65b6-4ba6-8c6b-61f072c6a8f4.vbs

Filesize
718B

MD5
7447a76e47ddf0faae907670be947f00

SHA1
867e7b1d9368806e2046ca655fb74e2399bffee7

SHA256
49871466204e9def6a40f45909706d2824f9785c424f4cfbac4109779d11487d

SHA512
481d78f81e847e43a178b0c790b1106885b5aa4cf1c8110204f1cddf379fe24b236d311e733d4823b41e48a5574237c4dab510c1a4a4b63f46f8055cdcc1cadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bbe6a2e-5a35-45e8-b13a-ff3e94632471.vbs

Filesize
718B

MD5
118badea17ef88d8cd9c98997c3cc257

SHA1
ef3db923dbef53a1c19b17a5f23f26b02a496abd

SHA256
aa352dcc3e73fe343c9b57ac25bcd48d5bd8a820605e04f7332691e00cca2a72

SHA512
e72813c3adc95a1735fc96fc3b15c60f329c31d72744ae1ce5ae536a180d081bd4d0b0dab20ca8b585fe60f92cdb203563548be54fb0dc71798900144cac4c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c192a37b-33b6-4460-a3ad-b79ff62a4cf0.vbs

Filesize
718B

MD5
62691d128cf3876034834a63447df927

SHA1
5ac2045b1d9598b39ffde633a17c83611ca5918b

SHA256
290a2d64d1a5d716b44fd7f51ee28233af51dc1f02b37d77430b80f73ec6e29f

SHA512
ce9b90f0d9a0c9d509e04aa43f55edd2d4f6d2bab78c0efb58dc4331f03fa809586a120159a08ad67f20aa1de4097cf55ca30ed1842aa7ac86ce7804d1f56903

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4936345-722e-4a56-a7cb-e6e2277456ce.vbs

Filesize
718B

MD5
6675be06a3e66909fa78fbd0432f5987

SHA1
b5903f03a70969a17b7fb27d7fd7f01ff1976349

SHA256
8260ff7afb3150627d8f854f7d0d688a007c21cf27b061ae8589d926bfe2391a

SHA512
37cf0823a293611bcc75a91412a86bd7dd9481dc2768065619129da1dacfae5b80333ec68c1c5dbe3c204014ee78ad4aff80b8e3dfd475af134f3df8777c9646

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0fa3a56-d9f8-4b8d-b396-e7f6f5d25232.vbs

Filesize
494B

MD5
1b92a28f6c97dd340f8f0a51c3ae15ac

SHA1
ffe630edc122aeefb8de5d1531291ede0fd8e090

SHA256
a875625f8d640d4f80c0c7cf74c98af7dff5904f8010a8a412e5411d5c07262a

SHA512
c5b7c38c7ee44caa245440e19fb2afbcd162103023f45e76ef083a948b6c32447fa8ed527833b37b56db1c96732f372e85f4c033e048d6a2d82224663fb71e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1d15bba-6646-4c69-936b-dcea510eea10.vbs

Filesize
718B

MD5
f7bf401605e49c7ce9392dae994dfe2e

SHA1
87fd187810761f68b580f869373a7337c75cd4e8

SHA256
03055d272612db15a008ff5853ee154861a8a294fde4bedfe96f4cbee917bf06

SHA512
1a302510c32571c2cd7cd0b5ca4b24bd476ab0c6d92c29092380e4ae028fa04af0ddae6eac2a4a0c9958ffb5e96894ad318c9bcf30850bb6c98500e4c874f015

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef21551f-260e-4f4e-93a8-f2efdd11db0e.vbs

Filesize
718B

MD5
41163db48e0fd1b4d9b123b3e46fde76

SHA1
95d9d4cff18ef75515641f8750e3d6397815995d

SHA256
5277f0f27113d41310982ef152588bbc0b9cc4a4af734c5af41ff57f6908e48d

SHA512
9ed200b58e0a7faec57204d2c5e77edeee3a71beb4d1b7d28c8bb378d7b9809a71f70287c383a0d298c1461e05e5ac2466543a84fd6326820a4521fe79b5f76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa81074c-68da-439a-8de4-e9f0776d7106.vbs

Filesize
718B

MD5
93cad91e3b1d1c51d44fabfbf4eabf96

SHA1
d5b8ef434b34dcab52b2666109b8e2de5c67cefb

SHA256
6951429e1962dbd4391cfbab4834001e6e6e32661ef27c430f095d0614e9a4a7

SHA512
d09393ec298f3d44ed76eee614dd26f3b2e112891ef82333ff92efb6488b5cc2556834bc56c8423fd7fc362aa5a6f9fbd432b85f1eafd6e4f123e34d6cc00df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\omibxcOtOT.bat

Filesize
207B

MD5
827f308c0a7cd6b98f93fe9f6798da9d

SHA1
98bad7a510cf84246aadaf3a83862a7016d16ed2

SHA256
2d66431b1a11259b167c6bd4f3803b3cd566e95293c68b48af87578764a540f0

SHA512
454c2ec445918e37d6fb8027c38833f970e6864c55fff8cec4bd5e1739431299cfcd82de573476e9d55834c6ffaf2515ec72ae71259c8898bf39be91b0c759c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9BA.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XCSQ0VXPZ6XYBDXY611N.temp

Filesize
7KB

MD5
b003cefadd7bd8b5e30a13f422bd4fec

SHA1
3c4a775caa44cff92a66c174309f8cd7fd9f030e

SHA256
01601dffda75a00526015a98adeba026dd24bc6864aa23fc69a5e593777671ea

SHA512
2e6de5fecdf89ec53f8251eb803df392a25455d52179df6430a3816813750cae2f052536670e3df1ebb469574d35e8c25b4b1d6bb57c1428ca5c021c13488579

Download Submit
memory/1144-167-0x0000000000D80000-0x0000000001274000-memory.dmp

Filesize
5.0MB

Download
memory/1380-137-0x0000000000370000-0x0000000000864000-memory.dmp

Filesize
5.0MB

Download
memory/1452-11-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download
memory/1452-9-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/1452-1-0x0000000000D70000-0x0000000001264000-memory.dmp

Filesize
5.0MB

Download
memory/1452-2-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1452-15-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/1452-60-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1452-3-0x000000001B640000-0x000000001B76E000-memory.dmp

Filesize
1.2MB

Download
memory/1452-14-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/1452-13-0x0000000000D10000-0x0000000000D1E000-memory.dmp

Filesize
56KB

Download
memory/1452-4-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1452-12-0x0000000000C80000-0x0000000000C8E000-memory.dmp

Filesize
56KB

Download
memory/1452-0-0x000007FEF5403000-0x000007FEF5404000-memory.dmp

Filesize
4KB

Download
memory/1452-10-0x0000000000C60000-0x0000000000C72000-memory.dmp

Filesize
72KB

Download
memory/1452-16-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/1452-5-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/1452-8-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/1452-7-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/1452-6-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/1796-211-0x00000000011A0000-0x0000000001694000-memory.dmp

Filesize
5.0MB

Download
memory/1964-241-0x0000000000030000-0x0000000000524000-memory.dmp

Filesize
5.0MB

Download
memory/1964-242-0x0000000002350000-0x0000000002362000-memory.dmp

Filesize
72KB

Download
memory/2216-108-0x0000000000B90000-0x0000000001084000-memory.dmp

Filesize
5.0MB

Download
memory/2244-196-0x0000000000F00000-0x00000000013F4000-memory.dmp

Filesize
5.0MB

Download
memory/2404-152-0x0000000000960000-0x0000000000E54000-memory.dmp

Filesize
5.0MB

Download
memory/2608-46-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2608-48-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2956-226-0x0000000001370000-0x0000000001864000-memory.dmp

Filesize
5.0MB

Download
memory/2992-122-0x0000000000BB0000-0x00000000010A4000-memory.dmp

Filesize
5.0MB

Download