dcrat | 5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Size

1.8MB
MD5

5fe5c094a2fd1a198178aa10c5b62307
SHA1

766b36ad58f89249728f8405b893ee104f3a8e6d
SHA256

5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a
SHA512

c1d4c29f0bf10787c5ed6bafd244f466a9be5a805976670a52337d90362eb00d3f9a278d822d9858128d5c8189c1da1125da76dd75b3e10d04be639a4e30b0c0
SSDEEP

49152:mhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:mgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1028	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	1028	schtasks.exe	86

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4924-1-0x0000000000C70000-0x0000000000E3E000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca7-26.dat	dcrat
behavioral2/files/0x000e000000023b5d-80.dat	dcrat
behavioral2/memory/3312-190-0x0000000000790000-0x000000000095E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4392	powershell.exe
3096	powershell.exe
4784	powershell.exe
1172	powershell.exe
2620	powershell.exe
1660	powershell.exe
4792	powershell.exe
2900	powershell.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dllhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe

Executes dropped EXE 8 IoCs

pid	Process
3312	dllhost.exe
1420	dllhost.exe
4148	dllhost.exe
2508	dllhost.exe
1616	dllhost.exe
3108	dllhost.exe
648	dllhost.exe
4076	dllhost.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\6cb0b6c459d5d3	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXADAC.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\6203df4a6bafc7	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXA318.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXA51C.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXAB98.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\5940a34987c991	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\22eafd247d37c3	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\taskhostw.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Windows\Setup\State\taskhostw.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Windows\ImmersiveControlPanel\uk-UA\explorer.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Windows\apppatch\RCXA104.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Windows\Setup\State\taskhostw.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Windows\apppatch\taskhostw.exe	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Windows\apppatch\ea9f0e6c9e2dcd	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File created	C:\Windows\Setup\State\ea9f0e6c9e2dcd	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
File opened for modification	C:\Windows\Setup\State\RCXA721.tmp	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4244	schtasks.exe
1536	schtasks.exe
1780	schtasks.exe
3984	schtasks.exe
3396	schtasks.exe
2020	schtasks.exe
4564	schtasks.exe
516	schtasks.exe
1908	schtasks.exe
3944	schtasks.exe
1916	schtasks.exe
4272	schtasks.exe
3148	schtasks.exe
3836	schtasks.exe
2248	schtasks.exe
3400	schtasks.exe
3932	schtasks.exe
2480	schtasks.exe
2308	schtasks.exe
2940	schtasks.exe
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
1172	powershell.exe
1172	powershell.exe
2900	powershell.exe
2900	powershell.exe
4392	powershell.exe
4392	powershell.exe
3096	powershell.exe
3096	powershell.exe
4792	powershell.exe
4792	powershell.exe
2620	powershell.exe
2620	powershell.exe
1660	powershell.exe
1660	powershell.exe
4784	powershell.exe
4784	powershell.exe
1172	powershell.exe
1660	powershell.exe
2900	powershell.exe
3096	powershell.exe
2620	powershell.exe
4392	powershell.exe
4792	powershell.exe
4784	powershell.exe
3312	dllhost.exe
1420	dllhost.exe
4148	dllhost.exe
2508	dllhost.exe
1616	dllhost.exe
3108	dllhost.exe
648	dllhost.exe
4076	dllhost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3312	dllhost.exe
Token: SeDebugPrivilege	1420	dllhost.exe
Token: SeDebugPrivilege	4148	dllhost.exe
Token: SeDebugPrivilege	2508	dllhost.exe
Token: SeDebugPrivilege	1616	dllhost.exe
Token: SeDebugPrivilege	3108	dllhost.exe
Token: SeDebugPrivilege	648	dllhost.exe
Token: SeDebugPrivilege	4076	dllhost.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 4784	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	111
PID 4924 wrote to memory of 4784	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	111
PID 4924 wrote to memory of 1172	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	112
PID 4924 wrote to memory of 1172	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	112
PID 4924 wrote to memory of 2620	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	113
PID 4924 wrote to memory of 2620	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	113
PID 4924 wrote to memory of 3096	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	114
PID 4924 wrote to memory of 3096	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	114
PID 4924 wrote to memory of 4392	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	116
PID 4924 wrote to memory of 4392	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	116
PID 4924 wrote to memory of 2900	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	117
PID 4924 wrote to memory of 2900	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	117
PID 4924 wrote to memory of 4792	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	118
PID 4924 wrote to memory of 4792	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	118
PID 4924 wrote to memory of 1660	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	119
PID 4924 wrote to memory of 1660	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	119
PID 4924 wrote to memory of 3312	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	127
PID 4924 wrote to memory of 3312	4924	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe	127
PID 3312 wrote to memory of 924	3312	dllhost.exe	129
PID 3312 wrote to memory of 924	3312	dllhost.exe	129
PID 3312 wrote to memory of 696	3312	dllhost.exe	130
PID 3312 wrote to memory of 696	3312	dllhost.exe	130
PID 924 wrote to memory of 1420	924	WScript.exe	133
PID 924 wrote to memory of 1420	924	WScript.exe	133
PID 1420 wrote to memory of 2784	1420	dllhost.exe	134
PID 1420 wrote to memory of 2784	1420	dllhost.exe	134
PID 1420 wrote to memory of 3836	1420	dllhost.exe	135
PID 1420 wrote to memory of 3836	1420	dllhost.exe	135
PID 2784 wrote to memory of 4148	2784	WScript.exe	136
PID 2784 wrote to memory of 4148	2784	WScript.exe	136
PID 4148 wrote to memory of 4360	4148	dllhost.exe	137
PID 4148 wrote to memory of 4360	4148	dllhost.exe	137
PID 4148 wrote to memory of 4772	4148	dllhost.exe	138
PID 4148 wrote to memory of 4772	4148	dllhost.exe	138
PID 4360 wrote to memory of 2508	4360	WScript.exe	140
PID 4360 wrote to memory of 2508	4360	WScript.exe	140
PID 2508 wrote to memory of 4796	2508	dllhost.exe	141
PID 2508 wrote to memory of 4796	2508	dllhost.exe	141
PID 2508 wrote to memory of 3816	2508	dllhost.exe	142
PID 2508 wrote to memory of 3816	2508	dllhost.exe	142
PID 4796 wrote to memory of 1616	4796	WScript.exe	144
PID 4796 wrote to memory of 1616	4796	WScript.exe	144
PID 1616 wrote to memory of 2296	1616	dllhost.exe	145
PID 1616 wrote to memory of 2296	1616	dllhost.exe	145
PID 1616 wrote to memory of 2844	1616	dllhost.exe	146
PID 1616 wrote to memory of 2844	1616	dllhost.exe	146
PID 2296 wrote to memory of 3108	2296	WScript.exe	147
PID 2296 wrote to memory of 3108	2296	WScript.exe	147
PID 3108 wrote to memory of 4688	3108	dllhost.exe	148
PID 3108 wrote to memory of 4688	3108	dllhost.exe	148
PID 3108 wrote to memory of 4924	3108	dllhost.exe	149
PID 3108 wrote to memory of 4924	3108	dllhost.exe	149
PID 4688 wrote to memory of 648	4688	WScript.exe	150
PID 4688 wrote to memory of 648	4688	WScript.exe	150
PID 648 wrote to memory of 680	648	dllhost.exe	151
PID 648 wrote to memory of 680	648	dllhost.exe	151
PID 648 wrote to memory of 3424	648	dllhost.exe	152
PID 648 wrote to memory of 3424	648	dllhost.exe	152
PID 680 wrote to memory of 4076	680	WScript.exe	153
PID 680 wrote to memory of 4076	680	WScript.exe	153

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe
"C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\apppatch\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
  "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3312
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ca729e7-4b6a-4703-9bf7-0734dfe5f534.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
      "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1420
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c7b52f-602e-460b-bf19-c3f74033b9cd.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b58bf5-d653-40b7-b8c3-b42a49c40d2d.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f33a790a-1f3b-40f8-a935-1736934a533a.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f14ea849-73f3-4df5-8b84-363ed7711195.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\646fa27d-4432-45fd-a3c1-3d7ef9275359.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
        14⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eeecae90-5449-4db1-a903-4ef85450c482.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f31370b-8e40-41f3-8ffb-4763f56580a0.vbs"
        15⤵
        
        PID:3424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9061f2a1-69a2-4bb7-bdbe-d922fb62aef8.vbs"
        13⤵
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c631a1dd-98a0-462f-b09a-f3dced3d63f4.vbs"
        11⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\198ddc90-c2d0-42c9-b42b-5696911c37b2.vbs"
        9⤵
        
        PID:3816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afa264da-98d8-4556-be90-cee631da1f13.vbs"
        7⤵
        
        PID:4772
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84c2662d-47b6-4d86-8f12-a7fb0b64ec20.vbs"
        5⤵
        
        PID:3836
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8a8c2a9-d5c6-4353-ae11-70e19ad1957c.vbs"
    3⤵
    PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Windows\apppatch\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\apppatch\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\apppatch\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Setup\State\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe

Filesize
1.8MB

MD5
b82f5228435b1b6d2f6c65d65eb514da

SHA1
cc6bff1d0d7e34581b0b9720384333e2401529c9

SHA256
4e3c6dcbc73055ff404e7326ae5d0846c8e8c9aed2e6760480e03e20992c3e76

SHA512
266bd8af58a3e92cb53ad10cd572390a32e1833aa67aad8d73454488bd84ea8c4ed955386826187fceca8a403f8463862ec76fea811b9cda4440c0ea15093aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\646fa27d-4432-45fd-a3c1-3d7ef9275359.vbs

Filesize
735B

MD5
fba723fdb281a5dd6259d5d49aca7f14

SHA1
a6951f1754ffdd77a02894c31030ab956b522c07

SHA256
a553c48e8bdabf30e57b735a2b0c0e67492a476f8ca6c4842213df1cf16d9cdd

SHA512
826590f049152197feaf9a9cff64da14e1cf170c39e0e16fd90548c0789c879ae347482be7c598542dce46e9a9479552109abced6d9c05f48d0d745dca200872

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ca729e7-4b6a-4703-9bf7-0734dfe5f534.vbs

Filesize
735B

MD5
8fe84219a5156e72594b0ff8d2cde685

SHA1
0e0a304819b04ccf8cd1c49b7c54f8bb71203b68

SHA256
8f4275f0d27f993a33506d003cf7d6e6df27d8b0532a30a532019fc68292920a

SHA512
d20ffa2ef6b0aa6bb227fbbd6195d39eb4ebe2d00433c844fe0c6b2f1bea3534ebd79480ba702f50ae516bd6a3fb0ba669ecfa6f6259aecdcbccf89406a04070

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bl313hby.fmk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1b58bf5-d653-40b7-b8c3-b42a49c40d2d.vbs

Filesize
735B

MD5
c94d921abd26206279c5d543e1009fa9

SHA1
2ed1bf709eed9a6558d1394c2dda71ea10bf5057

SHA256
821d98c8f4f8c8c9cb96184748f9167505875235dd11c02e7ef26d4be25b3ec9

SHA512
2decf7780f2ff03242ebf9724bed41f1ae3cbbd1cc1e9a9ccc20318805062e9e0b3da6889df262595ccb48d1fd12e4671a4ded3430c585e5c2dd39f89e5191be

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0c7b52f-602e-460b-bf19-c3f74033b9cd.vbs

Filesize
735B

MD5
589f2b1e6508eb945e5d9accb1a95ac9

SHA1
97549c1608c987a3f9277ac80cc48f9e51cdd3b9

SHA256
86dfcd3e7172cb70a95866334147385a45cd5444949778c74c9cb161b6279104

SHA512
93f94ea446879df52b8d7a487768589bb6dcb1fd9544c0e475739a73fbdac4b028052bc257798fc1daa5afeb7065d1915149cdb6efabe00803cda73256f19d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8a8c2a9-d5c6-4353-ae11-70e19ad1957c.vbs

Filesize
511B

MD5
6531214b5fcb4b63e09558f95e477da6

SHA1
5c1bd619bd5e017017af93c78f502d261f48576a

SHA256
7a13772a9b59d0e8e17cf090ac1c088b3cc47ff8b671351f32360a74f86c9c79

SHA512
0212e17b6dde36a4baa3150b37407948be5bf83872fb258792ada7158e73d64a4fa6306de3555cdff6b47449c1353521903c56b6f12ac8716122d16f7b8954fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eeecae90-5449-4db1-a903-4ef85450c482.vbs

Filesize
734B

MD5
7c9c57fdd605cf4b9cf73cb8c79d5e3a

SHA1
b4a39998019a1fdcd902c3d36c1b58c51f0ff9c9

SHA256
37a1df98c7cdc6c5d658d0352349c2b3e9f5ac7d417a173085454fd8559e3fff

SHA512
cd31d8ac6f7a4cbade615749d95863f99c241f1931901c4b791705227f848c03cde51265aa9cb353958af4f28ce5d2fd514c08833a3c5df29498d51676b3fcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\f14ea849-73f3-4df5-8b84-363ed7711195.vbs

Filesize
735B

MD5
95576ebc132c451fc94d9c46fc43a879

SHA1
08fd101fad750e1089e7238d06bcf7562658f14c

SHA256
347e28d345cea7d91241e35655a7ef6c66afac5f8ccd20ab30c01450b83b97c7

SHA512
6d4950cc95bd2870b87264b9dcfb30ab68e3fb87ea06d966eb5db871ade86100d228cd670d0a783b47f58f41bad5606c76a825e5322dc1b26486e18261fcea79

Download Submit
C:\Users\Admin\AppData\Local\Temp\f33a790a-1f3b-40f8-a935-1736934a533a.vbs

Filesize
735B

MD5
5a4985dfea01bcce227f94922ed39a67

SHA1
39ea0b71019c14c4182310a71132ebabc645c9ac

SHA256
6add77f73294c6e0e3bc7e63d19a3d4adf6d9f9bbc75434ff5bd9954552937ae

SHA512
96c1062f5146fd4c217992a9dfee2be02da2adee0fb79637afddc5c87c483c6122fdc8b26db990e1dd8b87e5da4001167e4abb390a4a646fd2ccfcffb13da029

Download Submit
C:\Users\Default\smss.exe

Filesize
1.8MB

MD5
5fe5c094a2fd1a198178aa10c5b62307

SHA1
766b36ad58f89249728f8405b893ee104f3a8e6d

SHA256
5e7335d97a5514b9dfe04a2f493854f017f1b995e24d2affeeb4ae247068103a

SHA512
c1d4c29f0bf10787c5ed6bafd244f466a9be5a805976670a52337d90362eb00d3f9a278d822d9858128d5c8189c1da1125da76dd75b3e10d04be639a4e30b0c0

Download Submit
memory/648-277-0x0000000002FA0000-0x0000000002FB2000-memory.dmp

Filesize
72KB

Download
memory/1172-115-0x00000276F1570000-0x00000276F1592000-memory.dmp

Filesize
136KB

Download
memory/3312-209-0x0000000002B50000-0x0000000002B62000-memory.dmp

Filesize
72KB

Download
memory/3312-190-0x0000000000790000-0x000000000095E000-memory.dmp

Filesize
1.8MB

Download
memory/4076-289-0x0000000002D50000-0x0000000002D62000-memory.dmp

Filesize
72KB

Download
memory/4924-7-0x0000000002FB0000-0x0000000002FC6000-memory.dmp

Filesize
88KB

Download
memory/4924-0-0x00007FFB33813000-0x00007FFB33815000-memory.dmp

Filesize
8KB

Download
memory/4924-191-0x00007FFB33810000-0x00007FFB342D1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-9-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/4924-8-0x0000000002FD0000-0x0000000002FE2000-memory.dmp

Filesize
72KB

Download
memory/4924-12-0x000000001C790000-0x000000001CCB8000-memory.dmp

Filesize
5.2MB

Download
memory/4924-6-0x0000000001730000-0x0000000001740000-memory.dmp

Filesize
64KB

Download
memory/4924-10-0x0000000002FE0000-0x0000000002FEA000-memory.dmp

Filesize
40KB

Download
memory/4924-5-0x0000000001710000-0x0000000001718000-memory.dmp

Filesize
32KB

Download
memory/4924-11-0x0000000002FF0000-0x0000000003002000-memory.dmp

Filesize
72KB

Download
memory/4924-4-0x000000001C110000-0x000000001C160000-memory.dmp

Filesize
320KB

Download
memory/4924-3-0x0000000002F90000-0x0000000002FAC000-memory.dmp

Filesize
112KB

Download
memory/4924-2-0x00007FFB33810000-0x00007FFB342D1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-17-0x000000001C2A0000-0x000000001C2AC000-memory.dmp

Filesize
48KB

Download
memory/4924-16-0x000000001C290000-0x000000001C29C000-memory.dmp

Filesize
48KB

Download
memory/4924-1-0x0000000000C70000-0x0000000000E3E000-memory.dmp

Filesize
1.8MB

Download
memory/4924-13-0x000000001C260000-0x000000001C26A000-memory.dmp

Filesize
40KB

Download
memory/4924-14-0x000000001C270000-0x000000001C27E000-memory.dmp

Filesize
56KB

Download
memory/4924-15-0x000000001C280000-0x000000001C28E000-memory.dmp

Filesize
56KB

Download