dcrat | 88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489

Analysis

max time kernel
95s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
Size

1.4MB
MD5

778a4d77c6ff79fd7a705c719951dfa0
SHA1

55a597e7fc6d496889618bba175e7f2c61cced4b
SHA256

88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489
SHA512

d6bf52c9115b934df88daf167311e7916d6d8e3d1b44e57a3dc41c8cab755eb8bb2c50a1d4c52791e07630a447aa46987f1503b70a485095ce67893cfe4900bb
SSDEEP

24576:6Ipz2s/RGlw9qwD9TQkzTOfC0Bg/qa9Yyym2Iicp/4xc:6Qzulw0bg/qAymlV

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3320	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	3320	schtasks.exe	86

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2620-1-0x0000000000830000-0x00000000009A6000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cce-25.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1276	powershell.exe
3516	powershell.exe
2260	powershell.exe
2800	powershell.exe
2960	powershell.exe
4688	powershell.exe
4344	powershell.exe
1132	powershell.exe
4872	powershell.exe
4760	powershell.exe
472	powershell.exe
3736	powershell.exe
2160	powershell.exe
3964	powershell.exe
4828	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe

Executes dropped EXE 1 IoCs

pid	Process
5292	services.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX786.tmp	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Program Files\Mozilla Firefox\defaults\27d1bcfc3c54e0	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ee2ad38f3d4382	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\RCXBDD.tmp	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Program Files (x86)\Internet Explorer\56085415360792	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Registry.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Program Files\Mozilla Firefox\defaults\System.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\System.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Program Files (x86)\Internet Explorer\wininit.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\22eafd247d37c3	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Program Files\VideoLAN\VLC\9e8d7a4ca61bd9	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXF53E.tmp	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXF781.tmp	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\Registry.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\wininit.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\RCXFE0C.tmp	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\RCXE20.tmp	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Windows\rescache\_merged\unsecapp.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Windows\RemotePackages\services.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Windows\RemotePackages\c5b4cb5e9653cc	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Windows\Microsoft.NET\winlogon.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Windows\RemotePackages\services.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File created	C:\Windows\Microsoft.NET\cc11b995f2a76d	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Windows\RemotePackages\RCX9B9.tmp	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
File opened for modification	C:\Windows\Microsoft.NET\winlogon.exe	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4464	schtasks.exe
4960	schtasks.exe
32	schtasks.exe
1580	schtasks.exe
2844	schtasks.exe
4696	schtasks.exe
4848	schtasks.exe
660	schtasks.exe
1748	schtasks.exe
3872	schtasks.exe
2508	schtasks.exe
2300	schtasks.exe
2420	schtasks.exe
100	schtasks.exe
2948	schtasks.exe
1280	schtasks.exe
4424	schtasks.exe
5004	schtasks.exe
4968	schtasks.exe
4448	schtasks.exe
4824	schtasks.exe
4080	schtasks.exe
3500	schtasks.exe
3576	schtasks.exe
3580	schtasks.exe
2868	schtasks.exe
1292	schtasks.exe
1456	schtasks.exe
3684	schtasks.exe
3784	schtasks.exe
1332	schtasks.exe
3348	schtasks.exe
4820	schtasks.exe
3564	schtasks.exe
3812	schtasks.exe
3664	schtasks.exe
3140	schtasks.exe
4620	schtasks.exe
2116	schtasks.exe
2988	schtasks.exe
1172	schtasks.exe
2436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	5292	services.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1276	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	131
PID 2620 wrote to memory of 1276	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	131
PID 2620 wrote to memory of 4828	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	132
PID 2620 wrote to memory of 4828	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	132
PID 2620 wrote to memory of 4688	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	133
PID 2620 wrote to memory of 4688	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	133
PID 2620 wrote to memory of 4760	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	134
PID 2620 wrote to memory of 4760	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	134
PID 2620 wrote to memory of 1132	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	135
PID 2620 wrote to memory of 1132	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	135
PID 2620 wrote to memory of 3964	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	136
PID 2620 wrote to memory of 3964	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	136
PID 2620 wrote to memory of 2960	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	137
PID 2620 wrote to memory of 2960	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	137
PID 2620 wrote to memory of 2160	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	138
PID 2620 wrote to memory of 2160	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	138
PID 2620 wrote to memory of 2800	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	139
PID 2620 wrote to memory of 2800	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	139
PID 2620 wrote to memory of 2260	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	140
PID 2620 wrote to memory of 2260	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	140
PID 2620 wrote to memory of 3736	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	141
PID 2620 wrote to memory of 3736	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	141
PID 2620 wrote to memory of 3516	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	142
PID 2620 wrote to memory of 3516	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	142
PID 2620 wrote to memory of 4872	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	143
PID 2620 wrote to memory of 4872	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	143
PID 2620 wrote to memory of 4344	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	144
PID 2620 wrote to memory of 4344	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	144
PID 2620 wrote to memory of 472	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	145
PID 2620 wrote to memory of 472	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	145
PID 2620 wrote to memory of 5292	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	161
PID 2620 wrote to memory of 5292	2620	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe	161

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe
"C:\Users\Admin\AppData\Local\Temp\88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Windows\RemotePackages\services.exe
  "C:\Windows\RemotePackages\services.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\RemotePackages\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TextInputHost.exe

Filesize
1.4MB

MD5
778a4d77c6ff79fd7a705c719951dfa0

SHA1
55a597e7fc6d496889618bba175e7f2c61cced4b

SHA256
88779158ac60b121c524491e5959f42fd7a98861540d6a4ffc375b17ab23b489

SHA512
d6bf52c9115b934df88daf167311e7916d6d8e3d1b44e57a3dc41c8cab755eb8bb2c50a1d4c52791e07630a447aa46987f1503b70a485095ce67893cfe4900bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
243347db405974f6277b941306d57ddb

SHA1
48a7563230d78ecfe8aaa7b749bf985c6078b4e4

SHA256
876100d0ce1aff677a0cab677787ca9858a989f4e5c13b05c8931f709232b835

SHA512
1c45eae761fb4224943debe2f2d553793146bb6d4bf2535de2bded3f9c78665607bc1fce7d4ecf905569488e42e42d0bf4b6d20dfcf8cda77a354b8faf17a951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96cb80a142b37ab4b3b6006fb9344bac

SHA1
cfb0d756fbad277e9c508cbea162cf16ea28bd8d

SHA256
bd23b440cad6871d9a49843083c3eba6dc50f464b627bb3b7515eecbfb7b7cd6

SHA512
d4a097fb09ac8170297a058667ff50df2250820734465d0043dd91c3c2c5b4f71af0f0c71331b0768e6874b59e8c027b0b89ad349a4c3f7461a9019ffaf96623

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckhj2hdb.fh1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1132-197-0x000002ED287D0000-0x000002ED287F2000-memory.dmp

Filesize
136KB

Download
memory/2620-8-0x0000000001280000-0x000000000128C000-memory.dmp

Filesize
48KB

Download
memory/2620-338-0x00007FFFE1170000-0x00007FFFE1C31000-memory.dmp

Filesize
10.8MB

Download
memory/2620-15-0x0000000002E50000-0x0000000002E58000-memory.dmp

Filesize
32KB

Download
memory/2620-16-0x0000000002E60000-0x0000000002E6C000-memory.dmp

Filesize
48KB

Download
memory/2620-13-0x0000000002E30000-0x0000000002E3E000-memory.dmp

Filesize
56KB

Download
memory/2620-48-0x00007FFFE1173000-0x00007FFFE1175000-memory.dmp

Filesize
8KB

Download
memory/2620-62-0x00007FFFE1170000-0x00007FFFE1C31000-memory.dmp

Filesize
10.8MB

Download
memory/2620-12-0x000000001BF80000-0x000000001BF8C000-memory.dmp

Filesize
48KB

Download
memory/2620-11-0x0000000002E20000-0x0000000002E2C000-memory.dmp

Filesize
48KB

Download
memory/2620-14-0x0000000002E40000-0x0000000002E4C000-memory.dmp

Filesize
48KB

Download
memory/2620-10-0x00000000012A0000-0x00000000012AC000-memory.dmp

Filesize
48KB

Download
memory/2620-9-0x0000000001290000-0x000000000129C000-memory.dmp

Filesize
48KB

Download
memory/2620-0-0x00007FFFE1173000-0x00007FFFE1175000-memory.dmp

Filesize
8KB

Download
memory/2620-7-0x0000000001270000-0x0000000001278000-memory.dmp

Filesize
32KB

Download
memory/2620-6-0x00007FFFE1170000-0x00007FFFE1C31000-memory.dmp

Filesize
10.8MB

Download
memory/2620-4-0x0000000002E00000-0x0000000002E08000-memory.dmp

Filesize
32KB

Download
memory/2620-5-0x0000000002E10000-0x0000000002E1A000-memory.dmp

Filesize
40KB

Download
memory/2620-3-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/2620-2-0x0000000002DE0000-0x0000000002DEE000-memory.dmp

Filesize
56KB

Download
memory/2620-1-0x0000000000830000-0x00000000009A6000-memory.dmp

Filesize
1.5MB

Download