dcrat | 04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76d

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
Size

4.9MB
MD5

76734aa65b791419a307427a85876560
SHA1

e82c8b8b689321752d7701a34e84814ad89ab2ba
SHA256

04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76d
SHA512

300a35678adc37cf5c18e9f34e01458a457b99bd56c8be560923e23493c393e78345dcf385d7369483913b1ae4fe7848170d6661e1ce68acff3d229478e35c06
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	768	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1728-3-0x000000001B710000-0x000000001B83E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1708	powershell.exe
2424	powershell.exe
1152	powershell.exe
2604	powershell.exe
1772	powershell.exe
2124	powershell.exe
1648	powershell.exe
1416	powershell.exe
1516	powershell.exe
1640	powershell.exe
1712	powershell.exe
1236	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2548	sppsvc.exe
620	sppsvc.exe
2952	sppsvc.exe
2712	sppsvc.exe
1424	sppsvc.exe
1808	sppsvc.exe
904	sppsvc.exe
1936	sppsvc.exe
2044	sppsvc.exe
2012	sppsvc.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\explorer.exe	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\7a0fd90576e088	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCXDD28.tmp	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\explorer.exe	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\AppPatch64\csrss.exe	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\csrss.exe	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
File created	C:\Windows\AppPatch\AppPatch64\886983d96e3d3e	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\RCXD8E2.tmp	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2648	schtasks.exe
2692	schtasks.exe
2912	schtasks.exe
2900	schtasks.exe
2624	schtasks.exe
2988	schtasks.exe
2808	schtasks.exe
2328	schtasks.exe
2772	schtasks.exe
2640	schtasks.exe
2784	schtasks.exe
3068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
1708	powershell.exe
1648	powershell.exe
2424	powershell.exe
1712	powershell.exe
1516	powershell.exe
2124	powershell.exe
1152	powershell.exe
2604	powershell.exe
1640	powershell.exe
1416	powershell.exe
1236	powershell.exe
1772	powershell.exe
2548	sppsvc.exe
620	sppsvc.exe
2952	sppsvc.exe
2712	sppsvc.exe
1424	sppsvc.exe
1808	sppsvc.exe
904	sppsvc.exe
1936	sppsvc.exe
2044	sppsvc.exe
2012	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	2548	sppsvc.exe
Token: SeDebugPrivilege	620	sppsvc.exe
Token: SeDebugPrivilege	2952	sppsvc.exe
Token: SeDebugPrivilege	2712	sppsvc.exe
Token: SeDebugPrivilege	1424	sppsvc.exe
Token: SeDebugPrivilege	1808	sppsvc.exe
Token: SeDebugPrivilege	904	sppsvc.exe
Token: SeDebugPrivilege	1936	sppsvc.exe
Token: SeDebugPrivilege	2044	sppsvc.exe
Token: SeDebugPrivilege	2012	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2124	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	44
PID 1728 wrote to memory of 2124	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	44
PID 1728 wrote to memory of 2124	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	44
PID 1728 wrote to memory of 1708	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	45
PID 1728 wrote to memory of 1708	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	45
PID 1728 wrote to memory of 1708	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	45
PID 1728 wrote to memory of 2424	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	47
PID 1728 wrote to memory of 2424	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	47
PID 1728 wrote to memory of 2424	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	47
PID 1728 wrote to memory of 1152	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	49
PID 1728 wrote to memory of 1152	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	49
PID 1728 wrote to memory of 1152	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	49
PID 1728 wrote to memory of 1236	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	50
PID 1728 wrote to memory of 1236	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	50
PID 1728 wrote to memory of 1236	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	50
PID 1728 wrote to memory of 1648	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	52
PID 1728 wrote to memory of 1648	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	52
PID 1728 wrote to memory of 1648	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	52
PID 1728 wrote to memory of 1516	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	56
PID 1728 wrote to memory of 1516	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	56
PID 1728 wrote to memory of 1516	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	56
PID 1728 wrote to memory of 1416	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	57
PID 1728 wrote to memory of 1416	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	57
PID 1728 wrote to memory of 1416	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	57
PID 1728 wrote to memory of 1712	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	58
PID 1728 wrote to memory of 1712	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	58
PID 1728 wrote to memory of 1712	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	58
PID 1728 wrote to memory of 1772	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	60
PID 1728 wrote to memory of 1772	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	60
PID 1728 wrote to memory of 1772	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	60
PID 1728 wrote to memory of 2604	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	61
PID 1728 wrote to memory of 2604	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	61
PID 1728 wrote to memory of 2604	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	61
PID 1728 wrote to memory of 1640	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	62
PID 1728 wrote to memory of 1640	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	62
PID 1728 wrote to memory of 1640	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	62
PID 1728 wrote to memory of 2548	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	68
PID 1728 wrote to memory of 2548	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	68
PID 1728 wrote to memory of 2548	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	68
PID 1728 wrote to memory of 2548	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	68
PID 1728 wrote to memory of 2548	1728	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe	68
PID 2548 wrote to memory of 3064	2548	sppsvc.exe	69
PID 2548 wrote to memory of 3064	2548	sppsvc.exe	69
PID 2548 wrote to memory of 3064	2548	sppsvc.exe	69
PID 2548 wrote to memory of 1492	2548	sppsvc.exe	70
PID 2548 wrote to memory of 1492	2548	sppsvc.exe	70
PID 2548 wrote to memory of 1492	2548	sppsvc.exe	70
PID 3064 wrote to memory of 620	3064	WScript.exe	71
PID 3064 wrote to memory of 620	3064	WScript.exe	71
PID 3064 wrote to memory of 620	3064	WScript.exe	71
PID 3064 wrote to memory of 620	3064	WScript.exe	71
PID 3064 wrote to memory of 620	3064	WScript.exe	71
PID 620 wrote to memory of 1788	620	sppsvc.exe	72
PID 620 wrote to memory of 1788	620	sppsvc.exe	72
PID 620 wrote to memory of 1788	620	sppsvc.exe	72
PID 620 wrote to memory of 1760	620	sppsvc.exe	73
PID 620 wrote to memory of 1760	620	sppsvc.exe	73
PID 620 wrote to memory of 1760	620	sppsvc.exe	73
PID 1788 wrote to memory of 2952	1788	WScript.exe	74
PID 1788 wrote to memory of 2952	1788	WScript.exe	74
PID 1788 wrote to memory of 2952	1788	WScript.exe	74
PID 1788 wrote to memory of 2952	1788	WScript.exe	74
PID 1788 wrote to memory of 2952	1788	WScript.exe	74
PID 2952 wrote to memory of 1428	2952	sppsvc.exe	75

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe
"C:\Users\Admin\AppData\Local\Temp\04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76dN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d26c6fb-f44b-416c-9ad7-27cdf0677e65.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
      "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:620
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d674d97-d14b-4a18-8c84-14870d4e601e.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
      - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ede12ca5-2932-4e04-91d5-5635a1021ee7.vbs"
        7⤵
        
        PID:1428
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0c130c8-1f39-41bc-a2b8-e232d10fedfa.vbs"
        9⤵
        
        PID:2544
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd7837dd-ad51-4a21-b467-aec8aa2e2e91.vbs"
        11⤵
        
        PID:2640
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\136f236a-aeae-4b63-8370-c37553e742ae.vbs"
        13⤵
        
        PID:2360
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78ab73a6-8e65-4632-8e7e-ff6271367db0.vbs"
        15⤵
        
        PID:3000
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d95b1343-087f-4d45-b013-420ac3126fa5.vbs"
        17⤵
        
        PID:3060
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\600b4e34-1347-489f-a5b0-34ee05e98dcd.vbs"
        19⤵
        
        PID:1532
        
        C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe"
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0c09245-db27-4a00-b2be-d5702821647b.vbs"
        21⤵
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d776f5a4-caa1-4f26-95a9-86f89a3d101a.vbs"
        21⤵
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30b6df7c-8870-4b12-97ce-45803ebd8bc1.vbs"
        19⤵
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ea9cae0-4086-4470-b193-aab38948ed4c.vbs"
        17⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\618c9554-1bc7-4e72-a650-82e6e97136c4.vbs"
        15⤵
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f90fdd5-ac3d-4a48-b3fb-0cc32dfeb467.vbs"
        13⤵
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2ebc3be-0e5d-4ff3-895d-3928bb54df8a.vbs"
        11⤵
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\864654a3-0cc1-475c-a236-5ba7c3cadf94.vbs"
        9⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9b253ff-525e-4462-9d12-0e49b2ed21db.vbs"
        7⤵
        
        PID:1544
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f61eb26b-86d5-48e9-b01e-0dea5085db63.vbs"
        5⤵
        
        PID:1760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42a04542-d66f-413f-950a-bf7a155ebfc6.vbs"
    3⤵
    PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\AppPatch64\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\AppPatch64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\136f236a-aeae-4b63-8370-c37553e742ae.vbs

Filesize
758B

MD5
ac93a114abb0c9c82403c3d4f14e90d2

SHA1
1efcd433a492ed4f0ceecc8f46f1fbe873ec57e6

SHA256
02551d6cd4ad7a7a9d1c54e4971e0c8b7fd2030ea79d6185ec8ae3621ada83a8

SHA512
6f75d5d4a492a1511f055721e3a17960dd42f19de40ac1e6fcfd22eba55c5ab35bee9d34f90c4cfccb5c7d8b1cef06058af499a93ec03ae6b211019c5539e506

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d26c6fb-f44b-416c-9ad7-27cdf0677e65.vbs

Filesize
758B

MD5
ce1179f45ad30b87e59912af05b716df

SHA1
66c7e547907806c25e5d0ce535c84aed9cc650bf

SHA256
0e98c639337ead9a19d63a40c80d0e8e5ce38cf73604824b2ca590047b032e6d

SHA512
d1af1527415e8b433ccefbadfc8de8cfab98a1b8ee52a64005e77aee7e5586727d8aee7efd2527c5c3eee85bda443a4827bc151ddc147a6e1195ba2a90f287a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d674d97-d14b-4a18-8c84-14870d4e601e.vbs

Filesize
757B

MD5
e393a3879321dc3b8b34018c8c5050e6

SHA1
df6c5fff1b692b9b6a7ddca556d390fa3729e2fb

SHA256
4ab7a9d316d78ee9ad2ef6112ef974c9100e3db9b3da7d9b083f67521741714b

SHA512
112f9800201fdf2282b15469c5749b8ecd922b266671e946de761da348c46f2f070ca63a20498d031f79aa14ddd0a79cb2a3c6ada97305ff130710d8680f59b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\42a04542-d66f-413f-950a-bf7a155ebfc6.vbs

Filesize
534B

MD5
ece2ac8099acf8d6c6f38ebefba933b5

SHA1
a0ebc1167b1f94e62bb548e6d0c66e89a86275f8

SHA256
c9bd5a11f48b9d98111a9fd68f3f727a9dee155aad3a554215869d90254b0d68

SHA512
fd07f8926603cb5605e830abcfaa74d8b8cd1f2c5be74aec23658e6f10802d378a2e568995dae04be0986f466f138ac8607d01e77a6d9984667ab0bf4fb40e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\600b4e34-1347-489f-a5b0-34ee05e98dcd.vbs

Filesize
758B

MD5
83127b8ad2d77610b6969e1cb91f5201

SHA1
a673c0ef96bae4cb48a5dcb89a247ae577e4130b

SHA256
66f3c45115ed5471647cbf702e98b5ad7decc46e19623dcf4f4638e4e1b90248

SHA512
50ad0022cc5248e861d5abc330f0c8754c708c9eda2b0cc9d5e4d42ce283b7a8b98566749a3ab13299a839971311e781b8f8faa3388f1842fa57eb33e812ed56

Download Submit
C:\Users\Admin\AppData\Local\Temp\78ab73a6-8e65-4632-8e7e-ff6271367db0.vbs

Filesize
757B

MD5
bbaa272f5fdb9579f0afeadd9d3aa17d

SHA1
14d9ddfd962554fe3ecef713f6eb5af1d769f8ec

SHA256
3c372c05db4247425af3410d251a425ebb2e13fb1558884583e660ef1adc65bd

SHA512
5524c1db2ecf600de53cfc9f18aa0aec90517f823f0938c86703732b69ca1fa62eb9cdaa663607edbd3917504e227da8df6ae258f73d84a9dce44993b4f15f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd7837dd-ad51-4a21-b467-aec8aa2e2e91.vbs

Filesize
758B

MD5
b0b47217e96247bb4c79c6494780109b

SHA1
ed59a8e59e362b9597d16ffa05cdeaf46aacb74e

SHA256
99f74d388c508b529f30aff55dbcd6f4e23eea174bfba525e8f4779677d73486

SHA512
bdfb4434ee0a2f64d977a0d1cdb1da4b9e20d3da2620586605d63d337f67bce31890ad5af98597a2dd9f065a7169e4ef56ba5fd090e75b335754f01abbcdab8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d95b1343-087f-4d45-b013-420ac3126fa5.vbs

Filesize
758B

MD5
52513c920635c8c9552d6e09268985c2

SHA1
75b00d8a620347be62eaa0bb47c8b4e3b3678e8b

SHA256
16166f619ceba419a99c8abbbdf30678475af69af905ad285fcddf007e2bedf2

SHA512
11113e675d1146bd0930e3f544682cb14b93706a552100128482c0acd959eaed26b5b79310b88dba8bf9dabe18640ed94dc4674c5306411500f4f9e5a041143f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0c09245-db27-4a00-b2be-d5702821647b.vbs

Filesize
758B

MD5
0365f9547f4f9a8c793607d01b76fefb

SHA1
fbd0fcdc71b8fe83511f179df66d56530897b5ab

SHA256
271a7a98ac78db236654b6210a6c9ad47b35382257a48d5cb3fa7e2c3a67082e

SHA512
146043a04e8f5b5190f9db3ee93fad46a8749b7ac60f90cef3050a7ef14891d1284aadb633f7ac9f663441aba722b2959e8e4b8070472f1e7afa22cf9349b51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ede12ca5-2932-4e04-91d5-5635a1021ee7.vbs

Filesize
758B

MD5
63757b343e4f2305bdf66e8de7da6305

SHA1
8bd1239895acde8801f64b37ed4ed0387c737a45

SHA256
b8bb85652d90d703f6d2519d7397de133eaa47ed9cbec52e50da45bacfafa915

SHA512
5a080cb4fe7da0c89eaa431393296636926c2e243fdcf131b5c9d73ec56988dc858df0757e50fc3e4a2e3f035802ca78b6478c775a3cd1c7997bbcd326fccefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0c130c8-1f39-41bc-a2b8-e232d10fedfa.vbs

Filesize
758B

MD5
40ea0e6d778b124e3c3927fa9f617a16

SHA1
2205d56a3e79b4a25faefdef0c16fb79f332b31b

SHA256
b1cbdf95872113b835d46146e16cf086bd8894cc51a2996145b4dd5f210fc83c

SHA512
97fbc7528456eb89c79541ad07da326a3a8754c04ac10680670fe7b065655bc4010d3278096c4d23f771cfd32629b02c1fa28645d123b4a614899f68c9535c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF180.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b48f0b223d572a3c86bd206a10ac10ff

SHA1
486a228bd1cb10fa37ba67bd7057d5411a647c68

SHA256
12686dcf199b5c829d9428f7a6c05aa0eb6a5d86c1c3cb8ec0c6ceca5f9bb1c9

SHA512
da4076031c591a8a8b866af2e9144a08b2765f502224a0ead1221daa021939f8ca4de378d921d11bb109c0d7e285fb5ac402b7c1b768d14d0c92bc0fb4d8a34f

Download Submit
C:\Windows\AppPatch\AppPatch64\csrss.exe

Filesize
4.9MB

MD5
76734aa65b791419a307427a85876560

SHA1
e82c8b8b689321752d7701a34e84814ad89ab2ba

SHA256
04449cf3ce402b23a2dede3bc5ea772edb2e4663e0005c8433ec79968699d76d

SHA512
300a35678adc37cf5c18e9f34e01458a457b99bd56c8be560923e23493c393e78345dcf385d7369483913b1ae4fe7848170d6661e1ce68acff3d229478e35c06

Download Submit
memory/620-138-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/1424-182-0x0000000000280000-0x0000000000774000-memory.dmp

Filesize
5.0MB

Download
memory/1708-100-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1728-10-0x000000001AF20000-0x000000001AF32000-memory.dmp

Filesize
72KB

Download
memory/1728-1-0x00000000002C0000-0x00000000007B4000-memory.dmp

Filesize
5.0MB

Download
memory/1728-16-0x000000001BC40000-0x000000001BC4C000-memory.dmp

Filesize
48KB

Download
memory/1728-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

Filesize
4KB

Download
memory/1728-2-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/1728-124-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/1728-14-0x000000001BC20000-0x000000001BC28000-memory.dmp

Filesize
32KB

Download
memory/1728-13-0x000000001AF50000-0x000000001AF5E000-memory.dmp

Filesize
56KB

Download
memory/1728-12-0x000000001AF40000-0x000000001AF4E000-memory.dmp

Filesize
56KB

Download
memory/1728-9-0x000000001AF10000-0x000000001AF1A000-memory.dmp

Filesize
40KB

Download
memory/1728-3-0x000000001B710000-0x000000001B83E000-memory.dmp

Filesize
1.2MB

Download
memory/1728-15-0x000000001BC30000-0x000000001BC38000-memory.dmp

Filesize
32KB

Download
memory/1728-11-0x000000001AF30000-0x000000001AF3A000-memory.dmp

Filesize
40KB

Download
memory/1728-8-0x000000001AF00000-0x000000001AF10000-memory.dmp

Filesize
64KB

Download
memory/1728-7-0x000000001AB10000-0x000000001AB26000-memory.dmp

Filesize
88KB

Download
memory/1728-6-0x000000001AB00000-0x000000001AB10000-memory.dmp

Filesize
64KB

Download
memory/1728-4-0x0000000000930000-0x000000000094C000-memory.dmp

Filesize
112KB

Download
memory/1728-5-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/1808-197-0x00000000011C0000-0x00000000016B4000-memory.dmp

Filesize
5.0MB

Download
memory/2012-254-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2424-94-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2548-123-0x0000000000CD0000-0x00000000011C4000-memory.dmp

Filesize
5.0MB

Download
memory/2952-153-0x0000000001320000-0x0000000001814000-memory.dmp

Filesize
5.0MB

Download