dcrat | 9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Size

4.9MB
MD5

6fffc1e333969842f53c8ccc15fc56e0
SHA1

5b11ed152f48402f76af5291115599635a0f5323
SHA256

9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54
SHA512

f7108a3213d454094fcbbc21ccb84837d31c81cbb0776593e591685b8b34d5a676aec610603b94de849a867eed84b9d5881421669418f546acf99ceb9dbf6225
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2504	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2504	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exedwm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2096-3-0x000000001B750000-0x000000001B87E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2580	powershell.exe
2376	powershell.exe
320	powershell.exe
536	powershell.exe
1912	powershell.exe
892	powershell.exe
1188	powershell.exe
2888	powershell.exe
1144	powershell.exe
844	powershell.exe
2932	powershell.exe
1480	powershell.exe

Executes dropped EXE 8 IoCs

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	Process
2612	dwm.exe
2948	dwm.exe
1604	dwm.exe
2576	dwm.exe
2392	dwm.exe
2840	dwm.exe
888	dwm.exe
2244	dwm.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exedwm.exedwm.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Drops file in Program Files directory 4 IoCs

Processes:

9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\b75386f1303e64	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXAA46.tmp	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
2756	schtasks.exe
2976	schtasks.exe
1436	schtasks.exe
1800	schtasks.exe
3060	schtasks.exe
2872	schtasks.exe
2868	schtasks.exe
2736	schtasks.exe
2632	schtasks.exe
2776	schtasks.exe
2808	schtasks.exe
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	Process
2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
892	powershell.exe
844	powershell.exe
2888	powershell.exe
1912	powershell.exe
1188	powershell.exe
536	powershell.exe
1144	powershell.exe
2580	powershell.exe
1480	powershell.exe
320	powershell.exe
2376	powershell.exe
2932	powershell.exe
2612	dwm.exe
2948	dwm.exe
1604	dwm.exe
2576	dwm.exe
2392	dwm.exe
2840	dwm.exe
888	dwm.exe
2244	dwm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2612	dwm.exe
Token: SeDebugPrivilege	2948	dwm.exe
Token: SeDebugPrivilege	1604	dwm.exe
Token: SeDebugPrivilege	2576	dwm.exe
Token: SeDebugPrivilege	2392	dwm.exe
Token: SeDebugPrivilege	2840	dwm.exe
Token: SeDebugPrivilege	888	dwm.exe
Token: SeDebugPrivilege	2244	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.execmd.exedwm.exeWScript.exedwm.exeWScript.exedwm.exe

description	pid	Process	procid_target
PID 2096 wrote to memory of 1480	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	43
PID 2096 wrote to memory of 1480	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	43
PID 2096 wrote to memory of 1480	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	43
PID 2096 wrote to memory of 892	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	44
PID 2096 wrote to memory of 892	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	44
PID 2096 wrote to memory of 892	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	44
PID 2096 wrote to memory of 1188	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	45
PID 2096 wrote to memory of 1188	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	45
PID 2096 wrote to memory of 1188	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	45
PID 2096 wrote to memory of 2888	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	46
PID 2096 wrote to memory of 2888	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	46
PID 2096 wrote to memory of 2888	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	46
PID 2096 wrote to memory of 1144	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	47
PID 2096 wrote to memory of 1144	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	47
PID 2096 wrote to memory of 1144	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	47
PID 2096 wrote to memory of 1912	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	48
PID 2096 wrote to memory of 1912	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	48
PID 2096 wrote to memory of 1912	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	48
PID 2096 wrote to memory of 2580	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	49
PID 2096 wrote to memory of 2580	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	49
PID 2096 wrote to memory of 2580	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	49
PID 2096 wrote to memory of 2376	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	50
PID 2096 wrote to memory of 2376	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	50
PID 2096 wrote to memory of 2376	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	50
PID 2096 wrote to memory of 320	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	51
PID 2096 wrote to memory of 320	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	51
PID 2096 wrote to memory of 320	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	51
PID 2096 wrote to memory of 844	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	52
PID 2096 wrote to memory of 844	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	52
PID 2096 wrote to memory of 844	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	52
PID 2096 wrote to memory of 536	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	53
PID 2096 wrote to memory of 536	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	53
PID 2096 wrote to memory of 536	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	53
PID 2096 wrote to memory of 2932	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	54
PID 2096 wrote to memory of 2932	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	54
PID 2096 wrote to memory of 2932	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	54
PID 2096 wrote to memory of 1952	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	67
PID 2096 wrote to memory of 1952	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	67
PID 2096 wrote to memory of 1952	2096	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe	67
PID 1952 wrote to memory of 2184	1952	cmd.exe	69
PID 1952 wrote to memory of 2184	1952	cmd.exe	69
PID 1952 wrote to memory of 2184	1952	cmd.exe	69
PID 1952 wrote to memory of 2612	1952	cmd.exe	70
PID 1952 wrote to memory of 2612	1952	cmd.exe	70
PID 1952 wrote to memory of 2612	1952	cmd.exe	70
PID 2612 wrote to memory of 2692	2612	dwm.exe	72
PID 2612 wrote to memory of 2692	2612	dwm.exe	72
PID 2612 wrote to memory of 2692	2612	dwm.exe	72
PID 2612 wrote to memory of 1112	2612	dwm.exe	73
PID 2612 wrote to memory of 1112	2612	dwm.exe	73
PID 2612 wrote to memory of 1112	2612	dwm.exe	73
PID 2692 wrote to memory of 2948	2692	WScript.exe	74
PID 2692 wrote to memory of 2948	2692	WScript.exe	74
PID 2692 wrote to memory of 2948	2692	WScript.exe	74
PID 2948 wrote to memory of 936	2948	dwm.exe	75
PID 2948 wrote to memory of 936	2948	dwm.exe	75
PID 2948 wrote to memory of 936	2948	dwm.exe	75
PID 2948 wrote to memory of 3020	2948	dwm.exe	76
PID 2948 wrote to memory of 3020	2948	dwm.exe	76
PID 2948 wrote to memory of 3020	2948	dwm.exe	76
PID 936 wrote to memory of 1604	936	WScript.exe	77
PID 936 wrote to memory of 1604	936	WScript.exe	77
PID 936 wrote to memory of 1604	936	WScript.exe	77
PID 1604 wrote to memory of 2216	1604	dwm.exe	78

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

Processes:

dwm.exedwm.exedwm.exedwm.exe9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exedwm.exedwm.exedwm.exedwm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe
"C:\Users\Admin\AppData\Local\Temp\9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bFOvba8jC8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2184
- - C:\Users\Default User\dwm.exe
    "C:\Users\Default User\dwm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2612
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaa639bd-a6c1-4643-a438-b3d28b4641cd.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2948
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\635119b7-0a5b-425c-a97a-b07e630a184c.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4322db8e-b955-434b-b515-8103291cd619.vbs"
        8⤵
        
        PID:2216
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dad46d13-053a-4d09-99d7-f9b74169f678.vbs"
        10⤵
        
        PID:1716
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f867ac94-5dcd-44a1-bd50-c206211d14be.vbs"
        12⤵
        
        PID:1828
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50fd4374-62e1-4b11-ac9f-45afe04dc2f4.vbs"
        14⤵
        
        PID:2308
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\855728b9-7d84-4f36-9644-b19e54b08b8e.vbs"
        16⤵
        
        PID:2888
        
        C:\Users\Default User\dwm.exe
        
        "C:\Users\Default User\dwm.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d65df6ff-4d80-4756-aef2-e228c6388d52.vbs"
        18⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42b24312-a1b5-4b65-ada3-d94af3e67a12.vbs"
        18⤵
        
        PID:884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd7f6384-6f82-49ee-9cf9-d74e9cc9c133.vbs"
        16⤵
        
        PID:280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba15674d-4565-4d1d-bbf5-48e8bbff25d8.vbs"
        14⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68b5afea-9126-48e6-9bda-8a7f4c755b6f.vbs"
        12⤵
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17011c4b-6bb9-4f25-a607-eb1444f9069e.vbs"
        10⤵
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30ac9ce0-82b2-4f6b-8d24-426ef5b07244.vbs"
        8⤵
        
        PID:2616
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\983742b7-0478-4439-9c83-bd2a2f5b5337.vbs"
        6⤵
        
        PID:3020
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a959dc9b-2c5e-4d7a-a805-67e2540a38f6.vbs"
      4⤵
      PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4322db8e-b955-434b-b515-8103291cd619.vbs

Filesize
705B

MD5
96fdea24f9d8450dda549f5fe7d8e06e

SHA1
c9f5d701558d1d8c12c69eef232e58518301344c

SHA256
419e02a321cd32efb97b0f5e8531aa98c8175d1bb76b1b3e279f0cedd7612dc3

SHA512
5f5fab78a77077daf160962f71fd1b68bdb12b4be6a66c419fabf894fab834a928a09bb964343a3bff6c9134adb0812d267298a2a1a2e7d7529570e27d80d35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50fd4374-62e1-4b11-ac9f-45afe04dc2f4.vbs

Filesize
705B

MD5
c75e07a8fce38dcd50668761528f016b

SHA1
0e833df60f8f4831d73ec6ae356dc0816aa7c97b

SHA256
71a158e806f8bc8799245f17c12e97c9ee52503caba3608b418d4a18a4c0bb65

SHA512
aa682d281b9c0d8ada5a21376ab2192f89bb91ef061334d38d5de2b7ab263ef285f59649e5796a0b0e6943699097cf4d3ce3d74d6cd974b44d1dba37f52b3e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\635119b7-0a5b-425c-a97a-b07e630a184c.vbs

Filesize
705B

MD5
b960ac8d58a4449af1abfd89f1429871

SHA1
0dab065ba131e0321f85c7cd675bcf834f70d04c

SHA256
15df9c860acfe1de631b2f98979c0604e4c5f0fb499c3b07dc6462ed6924f879

SHA512
38c5265e66afbbe7e4b5fa4d5dbea72d20cd2b35419b5b71b3281b247ff9787f9eddbddaddbfe1c52ef4fff4201fc4947fe5f21865cb1ee3af8e8e156ca49118

Download Submit
C:\Users\Admin\AppData\Local\Temp\855728b9-7d84-4f36-9644-b19e54b08b8e.vbs

Filesize
704B

MD5
804a0a984b68611ae9966176dc9b1a1e

SHA1
a91170cfcba2b0a2a4813f103741790da0c66938

SHA256
8bb4a6b0b0aea3083668be0ee5ce91f7321f5cdef04665a3cfc27ec6b4de49ed

SHA512
72a39c36562670948401211f330dc553a95e66ef04c39699bde5582387cab40f31608d878af41b19316bf1ef1ba72f3eb903768cf36e98b57c173088f12f0660

Download Submit
C:\Users\Admin\AppData\Local\Temp\a959dc9b-2c5e-4d7a-a805-67e2540a38f6.vbs

Filesize
481B

MD5
3a2ace6c3f9341fb8e866507473a6306

SHA1
bab70ab5fba2acaea414c722aac9d3644d585ee8

SHA256
91045eceada028342a8b28d1b2a92433f587f1338f56d8a031fd6212eef81bec

SHA512
c25d0845bbcf3af098e9f36813a5b4bfbecf1a5b35c501441e403800ad00dbfa825732ff24ff69e5af2e7902c3c6abae5fdffdd50c02b6efcd7b0337ae300944

Download Submit
C:\Users\Admin\AppData\Local\Temp\bFOvba8jC8.bat

Filesize
194B

MD5
17709603f8f81bfa485759af4a5785c5

SHA1
3bd91007b2e1c444d5d06b934bd062745e5b7384

SHA256
8cbded50ec0700f27e938e1cf618d218aad2c932ae4a256e8216e3d924e7cc0b

SHA512
74f2ff06dca055516e30488373377f1d1f4318e724afba8698b2bc0e6e37b3ffb11856549425c151a310f8a0f1a99f49129df6a0d753ce215f9f10b7518b2124

Download Submit
C:\Users\Admin\AppData\Local\Temp\d65df6ff-4d80-4756-aef2-e228c6388d52.vbs

Filesize
705B

MD5
5aa09b3ded14380c557c034718e16679

SHA1
a978c24551aff21f4de8ccdaead35ed0d2f9980d

SHA256
d3f510597955699792787d69d308861069d67f54895081a5bef3a85174229821

SHA512
20d6dca4cdb765a52abdfad075133f70caf6a1489f0e774a28beec1b6cb54d36b9cd3172e15c81e2d9f9c43ec87af3454d7869e3c7091a184004bdebb5d41f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\dad46d13-053a-4d09-99d7-f9b74169f678.vbs

Filesize
705B

MD5
5afe5380d12822403e936e037e8b26f2

SHA1
0f872f71236edc32ab57464a9d3c46fd7b09cc9a

SHA256
4d4a320969beacee23443bbdda56337f4dabdc820ee6a0fef7bdb770b5d5ab9f

SHA512
6fee39a762fc4c2d1bddc7f95bb83ac97d903720ed93cc7aae87b335baa30cf8e10ade93a0e6ecc81a999c543f67e1acf15f57491980612ae95c60cc985ce61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaa639bd-a6c1-4643-a438-b3d28b4641cd.vbs

Filesize
705B

MD5
3fc996524fd4699fe9b382f9ff91b923

SHA1
b027f8448a0edc13c1d5bbe93d8a288fa2a81496

SHA256
6d2839c406a530372e56c405f41386db1dca51f482142930586e355f28eb9254

SHA512
3381a1d2bc07778168118308cdee91574260b0c1500dc76069572b2f5b04cff50eb4b21235b0af512cb4fc7a216d9262d3eb128ec96d44e1c7cdc676ab89f821

Download Submit
C:\Users\Admin\AppData\Local\Temp\f867ac94-5dcd-44a1-bd50-c206211d14be.vbs

Filesize
705B

MD5
88963d3a383ed175e147ef1d0276b29e

SHA1
2f28742349fc6adfda7c479017f7b409503be16c

SHA256
080236f2c4af85b329f8b1ed9620d52e3e83658f9b6a5f23730f0323abbf28a4

SHA512
cfac413490a6f86e0aee9b6d4ca09d0b5a7a5d422444b56aa501000a5d0dcca5d6fa9d0b9c56bd0f4928d5f1b7fe47d0f29109cf8f9a4621014c84b21a6821fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD356.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c3c50d664b78612602e38ec4cb456ee4

SHA1
e831417d462282f4c20dd800b762b965ed9d3bed

SHA256
d1907c447c4d79b1152641bd5ee07833b83aeb813287fcb1b313ebe16ab51096

SHA512
cd89177afc89b4de7aefe871df264fa1475c05d5cce846b9fea8e030d79b76cf0e4f194c62971a31cd6c36a256d34cf5f60614909aed8d160d2572c8f85d1ce5

Download Submit
C:\Users\Default\dwm.exe

Filesize
4.9MB

MD5
6fffc1e333969842f53c8ccc15fc56e0

SHA1
5b11ed152f48402f76af5291115599635a0f5323

SHA256
9fa0a5fbe7fda461fd81c1bab54c87d5c325c980f0cb9523f5b2b1f1c208be54

SHA512
f7108a3213d454094fcbbc21ccb84837d31c81cbb0776593e591685b8b34d5a676aec610603b94de849a867eed84b9d5881421669418f546acf99ceb9dbf6225

Download Submit
memory/844-79-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/892-80-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/2096-8-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2096-10-0x0000000000930000-0x0000000000942000-memory.dmp

Filesize
72KB

Download
memory/2096-14-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/2096-63-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-15-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/2096-13-0x0000000000960000-0x000000000096E000-memory.dmp

Filesize
56KB

Download
memory/2096-12-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/2096-11-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/2096-1-0x0000000000330000-0x0000000000824000-memory.dmp

Filesize
5.0MB

Download
memory/2096-16-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2096-9-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/2096-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2096-7-0x00000000002F0000-0x0000000000306000-memory.dmp

Filesize
88KB

Download
memory/2096-6-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2096-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-5-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2096-4-0x0000000000290000-0x00000000002AC000-memory.dmp

Filesize
112KB

Download
memory/2096-3-0x000000001B750000-0x000000001B87E000-memory.dmp

Filesize
1.2MB

Download
memory/2576-171-0x0000000001320000-0x0000000001814000-memory.dmp

Filesize
5.0MB

Download
memory/2612-129-0x0000000001260000-0x0000000001754000-memory.dmp

Filesize
5.0MB

Download