dcrat | cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Size

1.8MB
MD5

d460777963c85344556aa9d4adc322a0
SHA1

cb0f873b26e938ef7d5b5dbe71aa23bc311400d3
SHA256

cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9
SHA512

a247b0454747177cdc7453bd5208b78ed8e37332b68d672de46e9ea0f2dc0da9947d3fc40f6bfcc6c74fd7a8ef371a311217c9f5c3c0f13c291d69dd2f9590af
SSDEEP

49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:mgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	432	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	432	schtasks.exe	86

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1708-1-0x0000000000890000-0x0000000000A5E000-memory.dmp	dcrat
behavioral2/files/0x000a000000023c58-28.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
736	powershell.exe
1044	powershell.exe
3956	powershell.exe
2848	powershell.exe
1856	powershell.exe
2632	powershell.exe
3964	powershell.exe
1732	powershell.exe
116	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

Executes dropped EXE 7 IoCs

pid	Process
2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
4380	services.exe
2820	services.exe
5072	services.exe
2384	services.exe
5004	services.exe
3612	services.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Mail\wininit.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files\Windows Mail\56085415360792	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
File created	C:\Program Files\Windows Mail\wininit.exe	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
208	schtasks.exe
5060	schtasks.exe
3432	schtasks.exe
4688	schtasks.exe
1432	schtasks.exe
4380	schtasks.exe
1808	schtasks.exe
4504	schtasks.exe
2864	schtasks.exe
1344	schtasks.exe
4444	schtasks.exe
4328	schtasks.exe
4424	schtasks.exe
4628	schtasks.exe
2124	schtasks.exe
1644	schtasks.exe
3944	schtasks.exe
1972	schtasks.exe
3452	schtasks.exe
3356	schtasks.exe
3456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
1044	powershell.exe
736	powershell.exe
1856	powershell.exe
1856	powershell.exe
736	powershell.exe
1044	powershell.exe
2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
116	powershell.exe
116	powershell.exe
1732	powershell.exe
1732	powershell.exe
2848	powershell.exe
2848	powershell.exe
2632	powershell.exe
2632	powershell.exe
3964	powershell.exe
3964	powershell.exe
3956	powershell.exe
3956	powershell.exe
3956	powershell.exe
116	powershell.exe
2632	powershell.exe
1732	powershell.exe
2848	powershell.exe
3964	powershell.exe
4380	services.exe
2820	services.exe
5072	services.exe
2384	services.exe
5004	services.exe
3612	services.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4380	services.exe
Token: SeDebugPrivilege	2820	services.exe
Token: SeDebugPrivilege	5072	services.exe
Token: SeDebugPrivilege	2384	services.exe
Token: SeDebugPrivilege	5004	services.exe
Token: SeDebugPrivilege	3612	services.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1856	1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	96
PID 1708 wrote to memory of 1856	1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	96
PID 1708 wrote to memory of 736	1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	97
PID 1708 wrote to memory of 736	1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	97
PID 1708 wrote to memory of 1044	1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	98
PID 1708 wrote to memory of 1044	1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	98
PID 1708 wrote to memory of 2652	1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	102
PID 1708 wrote to memory of 2652	1708	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	102
PID 2652 wrote to memory of 3956	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	120
PID 2652 wrote to memory of 3956	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	120
PID 2652 wrote to memory of 1732	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	121
PID 2652 wrote to memory of 1732	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	121
PID 2652 wrote to memory of 3964	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	122
PID 2652 wrote to memory of 3964	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	122
PID 2652 wrote to memory of 2848	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	123
PID 2652 wrote to memory of 2848	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	123
PID 2652 wrote to memory of 2632	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	125
PID 2652 wrote to memory of 2632	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	125
PID 2652 wrote to memory of 116	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	126
PID 2652 wrote to memory of 116	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	126
PID 2652 wrote to memory of 4380	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	132
PID 2652 wrote to memory of 4380	2652	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe	132
PID 4380 wrote to memory of 3516	4380	services.exe	135
PID 4380 wrote to memory of 3516	4380	services.exe	135
PID 4380 wrote to memory of 2548	4380	services.exe	136
PID 4380 wrote to memory of 2548	4380	services.exe	136
PID 3516 wrote to memory of 2820	3516	WScript.exe	137
PID 3516 wrote to memory of 2820	3516	WScript.exe	137
PID 2820 wrote to memory of 1348	2820	services.exe	138
PID 2820 wrote to memory of 1348	2820	services.exe	138
PID 2820 wrote to memory of 4512	2820	services.exe	139
PID 2820 wrote to memory of 4512	2820	services.exe	139
PID 1348 wrote to memory of 5072	1348	WScript.exe	140
PID 1348 wrote to memory of 5072	1348	WScript.exe	140
PID 5072 wrote to memory of 1700	5072	services.exe	142
PID 5072 wrote to memory of 1700	5072	services.exe	142
PID 5072 wrote to memory of 1972	5072	services.exe	143
PID 5072 wrote to memory of 1972	5072	services.exe	143
PID 1700 wrote to memory of 2384	1700	WScript.exe	145
PID 1700 wrote to memory of 2384	1700	WScript.exe	145
PID 2384 wrote to memory of 2160	2384	services.exe	146
PID 2384 wrote to memory of 2160	2384	services.exe	146
PID 2384 wrote to memory of 2848	2384	services.exe	147
PID 2384 wrote to memory of 2848	2384	services.exe	147
PID 2160 wrote to memory of 5004	2160	WScript.exe	148
PID 2160 wrote to memory of 5004	2160	WScript.exe	148
PID 5004 wrote to memory of 4528	5004	services.exe	149
PID 5004 wrote to memory of 4528	5004	services.exe	149
PID 5004 wrote to memory of 3932	5004	services.exe	150
PID 5004 wrote to memory of 3932	5004	services.exe	150
PID 4528 wrote to memory of 3612	4528	WScript.exe	151
PID 4528 wrote to memory of 3612	4528	WScript.exe	151
PID 3612 wrote to memory of 3992	3612	services.exe	152
PID 3612 wrote to memory of 3992	3612	services.exe	152
PID 3612 wrote to memory of 2592	3612	services.exe	153
PID 3612 wrote to memory of 2592	3612	services.exe	153

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
"C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe
  "C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:116
- - C:\Recovery\WindowsRE\services.exe
    "C:\Recovery\WindowsRE\services.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4380
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14157f7e-910c-4ffe-b8b8-47484f1ae9ca.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2820
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34ea7fbf-4878-436b-87f2-c80b2c75ce30.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45cda749-46ef-4ed2-915b-c6acb7bcf6a9.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e2ff5bd-4c47-46ad-9bd2-544ccfbea422.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c745a6d3-d8ca-4e8a-ace5-e5f978349a4e.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c80b87e3-b704-456d-b113-0d8d43bb5182.vbs"
        14⤵
        
        PID:3992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b984d708-6c5e-443d-9861-2a104a855a0d.vbs"
        14⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a989b9e-b027-45e3-97a7-a24a3ee70be0.vbs"
        12⤵
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f4ccf5f-73c9-417d-87aa-de16593b7a8f.vbs"
        10⤵
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\334ae3a9-714d-4c7b-9bed-7653947e4a11.vbs"
        8⤵
        
        PID:1972
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fabaf2d-04cd-4996-9faf-70a9f424f53b.vbs"
        6⤵
        
        PID:4512
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e6f0bd1-af4c-4452-be48-3f4c097cfe3f.vbs"
      4⤵
      PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\dwm.exe

Filesize
1.8MB

MD5
d460777963c85344556aa9d4adc322a0

SHA1
cb0f873b26e938ef7d5b5dbe71aa23bc311400d3

SHA256
cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9

SHA512
a247b0454747177cdc7453bd5208b78ed8e37332b68d672de46e9ea0f2dc0da9947d3fc40f6bfcc6c74fd7a8ef371a311217c9f5c3c0f13c291d69dd2f9590af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cdd8653dcd7a1003c7afb21d9094212ddf655cd62792e2651e531f3bf2f3c8a9N.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
def02d9cbf3553624aa606226770e69c

SHA1
4c10b8d53a467654de7d22b9e96aee8f61ae2c86

SHA256
d89a0d362229fc3a7042031aec4175ecbe776d9baffed142d3f147dfa57bcd71

SHA512
0640e7fd9374de59908c510114f18354a777397b163a63341a2e6bd8ef00d826aba6ad657ccc172f0790e423ecbaf737a0fa4ff05a85477e5b9e72f80d35dce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef72c47dbfaae0b9b0d09f22ad4afe20

SHA1
5357f66ba69b89440b99d4273b74221670129338

SHA256
692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

SHA512
7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
085e0a3b869f290afea5688a8ac4e7c5

SHA1
0fedef5057708908bcca9e7572be8f46cef4f3ca

SHA256
1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

SHA512
bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\14157f7e-910c-4ffe-b8b8-47484f1ae9ca.vbs

Filesize
710B

MD5
c8c56cef6dcf3770b1addbc9a64f1923

SHA1
606867d4fb4693b160aa702f922157a979f60aa8

SHA256
ffa1b4f7e2aa04e96d7a48602e1a18274c3207e10d3674d5014ca236bbfa1688

SHA512
7fb7d39ef60376e5642792cf3001c7fa846a7b4f9ccf3abf75ad621d6f7ad93e9001673619523863c53915fc5a6ec216f09df683403c92b1c79fdb4b0fa228ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e6f0bd1-af4c-4452-be48-3f4c097cfe3f.vbs

Filesize
486B

MD5
37ba87a1be9cb97a17bc2b0ee93c02ef

SHA1
279bdad2ef627145063d63932582b4086f7d5909

SHA256
5a22498845de07c35467f4f5030c623f76f363adca33df5935e1009e9ac115bf

SHA512
bf15f849dc947d20e33f9891003d50b56a336cc7bca58e850ea961e066737d354a459561437bc4d7fad81de18459873a1dd623067cb1a3001910a7338f477865

Download Submit
C:\Users\Admin\AppData\Local\Temp\34ea7fbf-4878-436b-87f2-c80b2c75ce30.vbs

Filesize
710B

MD5
3be2c7376cb4f49c3e347f4bd2b9dfdf

SHA1
2f55df4988e441ff595586804af684180e244b0c

SHA256
7947c2da4993c2fcdd8e7edacc515f77ce58a016b00c71e3609d27f22c4e9cf3

SHA512
33519061337f6de6db57f718be12edc26a28d40b6e1580f4fb024d69b96c9ce489fbeee97fc477b76f0d0b90edd0fa9b51eb8d9c7c2ec70251eb8369ae92bc21

Download Submit
C:\Users\Admin\AppData\Local\Temp\45cda749-46ef-4ed2-915b-c6acb7bcf6a9.vbs

Filesize
710B

MD5
bf0982120d1e46678901defbd4607a2c

SHA1
a291ef0104662392190681538143ac4d588d34a8

SHA256
6987557a207650c0fe716ddfbc07dc6dcf09520b67ade52d22f544a34871437a

SHA512
b5bcd0a1a0e6a77bb8fdb60252236e9efa32166a25754092b51bd93b0340cd85781af6351d51397d3f9b505fad1a538ff32e46d62764deabb23757e7a49aefe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e2ff5bd-4c47-46ad-9bd2-544ccfbea422.vbs

Filesize
710B

MD5
2662b9cef9f9770691fc33e417eb67b9

SHA1
bbcf4e3c784c0cd37c798adc4ae82820ce6b1572

SHA256
b961323552662e1ad12f4f4b29e08468c239be3228c8b5fefb1ae7a0f88da489

SHA512
ede46a6d98d0768c5cfd10de432e64866c659c539407462fc109ac63e4218e00080e18431d2bf3cdfeb79e17694439c6e1f1094d2c1561fbba165da824352c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_prnq2ice.lqi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c745a6d3-d8ca-4e8a-ace5-e5f978349a4e.vbs

Filesize
710B

MD5
f28f5593008260728f367fcf27a6c76a

SHA1
739ac33ebee5f764556e8e828823ad9d5c5614a0

SHA256
181efda7a00f834434a1972bd59224e4e305fae7c3f200ae12911db8d9b93ed3

SHA512
4b8bcd0616421ce139bc3ae4cd2e33ef4799a8c6d6d7919f0d13468b8c88f995b1c4ec88e38e9acf6b6b1f393c80e88ae7beb3c5b567d5a81640ba69536895d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c80b87e3-b704-456d-b113-0d8d43bb5182.vbs

Filesize
710B

MD5
7f11ccd6080d58c5de2f0c1b4d3923da

SHA1
ddf370d57321651837adfe0d96f4dc22e5881f60

SHA256
4b90cfcd10597e17a8c9e57b51da0f83eb179a055ef4863b353b971b2603c2fa

SHA512
41af159d40641f528e15f8aee8787dbd7353d42b1f7d5075585bb2de68244c8c0dfab092ee95512074feea8c4b86334877679d11e92dca061509f99c0144cbd2

Download Submit
memory/1044-53-0x00000213756B0000-0x00000213756D2000-memory.dmp

Filesize
136KB

Download
memory/1708-16-0x000000001BEB0000-0x000000001BEBC000-memory.dmp

Filesize
48KB

Download
memory/1708-5-0x0000000002B30000-0x0000000002B38000-memory.dmp

Filesize
32KB

Download
memory/1708-17-0x000000001BEC0000-0x000000001BECC000-memory.dmp

Filesize
48KB

Download
memory/1708-8-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

Filesize
72KB

Download
memory/1708-10-0x0000000002BF0000-0x0000000002BFA000-memory.dmp

Filesize
40KB

Download
memory/1708-77-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/1708-9-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download
memory/1708-2-0x00007FFE0B010000-0x00007FFE0BAD1000-memory.dmp

Filesize
10.8MB

Download
memory/1708-3-0x0000000002B90000-0x0000000002BAC000-memory.dmp

Filesize
112KB

Download
memory/1708-0-0x00007FFE0B013000-0x00007FFE0B015000-memory.dmp

Filesize
8KB

Download
memory/1708-4-0x000000001BD20000-0x000000001BD70000-memory.dmp

Filesize
320KB

Download
memory/1708-6-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/1708-7-0x0000000002BC0000-0x0000000002BD6000-memory.dmp

Filesize
88KB

Download
memory/1708-14-0x000000001BE90000-0x000000001BE9E000-memory.dmp

Filesize
56KB

Download
memory/1708-15-0x000000001BEA0000-0x000000001BEAE000-memory.dmp

Filesize
56KB

Download
memory/1708-1-0x0000000000890000-0x0000000000A5E000-memory.dmp

Filesize
1.8MB

Download
memory/1708-13-0x0000000002C20000-0x0000000002C2A000-memory.dmp

Filesize
40KB

Download
memory/1708-12-0x000000001C3C0000-0x000000001C8E8000-memory.dmp

Filesize
5.2MB

Download
memory/1708-11-0x0000000002C00000-0x0000000002C12000-memory.dmp

Filesize
72KB

Download
memory/2652-79-0x000000001C1A0000-0x000000001C1B2000-memory.dmp

Filesize
72KB

Download
memory/2652-78-0x000000001C030000-0x000000001C042000-memory.dmp

Filesize
72KB

Download