dcrat | f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Size

1.8MB
MD5

7582ed7a9f3ac0c15a2b7c81155d8b59
SHA1

0c0429b3d9f1acaeeffb7fd92946cab77d1be2f6
SHA256

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077
SHA512

6be6568d2109397e266ce71014f503ec10bd38626146bb38f7955b6f360fccd4c05bad19ac5f94f3695427c595e9eda61079c01e6d156634978039c3749245a0
SSDEEP

49152:OhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:OgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2708	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2708	schtasks.exe

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

explorer.exef72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2320-1-0x0000000000BA0000-0x0000000000D6E000-memory.dmp	dcrat
C:\Users\Public\Videos\Sample Videos\WMIADAP.exe	dcrat
behavioral1/memory/1528-116-0x0000000001250000-0x000000000141E000-memory.dmp	dcrat
behavioral1/memory/3060-141-0x0000000000080000-0x000000000024E000-memory.dmp	dcrat
behavioral1/memory/1556-153-0x0000000000E50000-0x000000000101E000-memory.dmp	dcrat
behavioral1/memory/1372-176-0x0000000001030000-0x00000000011FE000-memory.dmp	dcrat
behavioral1/memory/2168-189-0x0000000001150000-0x000000000131E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

556 powershell.exe
1376 powershell.exe
2072 powershell.exe
2508 powershell.exe
2148 powershell.exe
2248 powershell.exe
2232 powershell.exe
Executes dropped EXE 7 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid process

1528 explorer.exe
2584 explorer.exe
3060 explorer.exe
1556 explorer.exe
2324 explorer.exe
1372 explorer.exe
2168 explorer.exe

pid	process
556	powershell.exe
1376	powershell.exe
2072	powershell.exe
2508	powershell.exe
2148	powershell.exe
2248	powershell.exe
2232	powershell.exe

pid	process
1528	explorer.exe
2584	explorer.exe
3060	explorer.exe
1556	explorer.exe
2324	explorer.exe
1372	explorer.exe
2168	explorer.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exef72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

Drops file in Program Files directory 8 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXE227.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXE62E.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\7a0fd90576e088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6cb0b6c459d5d3	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

Drops file in Windows directory 4 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

description	ioc	process
File created	C:\Windows\de-DE\services.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Windows\de-DE\services.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Windows\de-DE\c5b4cb5e9653cc	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Windows\de-DE\RCXDFB6.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2824	schtasks.exe
2588	schtasks.exe
640	schtasks.exe
2308	schtasks.exe
2552	schtasks.exe
2060	schtasks.exe
2352	schtasks.exe
1212	schtasks.exe
2600	schtasks.exe
2512	schtasks.exe
2876	schtasks.exe
2704	schtasks.exe
2820	schtasks.exe
2728	schtasks.exe
1984	schtasks.exe
2944	schtasks.exe
1652	schtasks.exe
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
2508	powershell.exe
2072	powershell.exe
2248	powershell.exe
1376	powershell.exe
2148	powershell.exe
556	powershell.exe
2232	powershell.exe
1528	explorer.exe
2584	explorer.exe
3060	explorer.exe
1556	explorer.exe
2324	explorer.exe
1372	explorer.exe
2168	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1528	explorer.exe
Token: SeDebugPrivilege	2584	explorer.exe
Token: SeDebugPrivilege	3060	explorer.exe
Token: SeDebugPrivilege	1556	explorer.exe
Token: SeDebugPrivilege	2324	explorer.exe
Token: SeDebugPrivilege	1372	explorer.exe
Token: SeDebugPrivilege	2168	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.execmd.exeexplorer.exeWScript.exeexplorer.exeWScript.exeexplorer.exeWScript.exeexplorer.exeWScript.exe

description	pid	process	target process
PID 2320 wrote to memory of 2148	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2148	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2148	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2508	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2508	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2508	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2248	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2248	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2248	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2072	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2072	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2072	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 1376	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 1376	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 1376	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2232	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2232	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 2232	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 556	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 556	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 556	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2320 wrote to memory of 1644	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	cmd.exe
PID 2320 wrote to memory of 1644	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	cmd.exe
PID 2320 wrote to memory of 1644	2320	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	cmd.exe
PID 1644 wrote to memory of 1788	1644	cmd.exe	w32tm.exe
PID 1644 wrote to memory of 1788	1644	cmd.exe	w32tm.exe
PID 1644 wrote to memory of 1788	1644	cmd.exe	w32tm.exe
PID 1644 wrote to memory of 1528	1644	cmd.exe	explorer.exe
PID 1644 wrote to memory of 1528	1644	cmd.exe	explorer.exe
PID 1644 wrote to memory of 1528	1644	cmd.exe	explorer.exe
PID 1528 wrote to memory of 2724	1528	explorer.exe	WScript.exe
PID 1528 wrote to memory of 2724	1528	explorer.exe	WScript.exe
PID 1528 wrote to memory of 2724	1528	explorer.exe	WScript.exe
PID 1528 wrote to memory of 2824	1528	explorer.exe	WScript.exe
PID 1528 wrote to memory of 2824	1528	explorer.exe	WScript.exe
PID 1528 wrote to memory of 2824	1528	explorer.exe	WScript.exe
PID 2724 wrote to memory of 2584	2724	WScript.exe	explorer.exe
PID 2724 wrote to memory of 2584	2724	WScript.exe	explorer.exe
PID 2724 wrote to memory of 2584	2724	WScript.exe	explorer.exe
PID 2584 wrote to memory of 2816	2584	explorer.exe	WScript.exe
PID 2584 wrote to memory of 2816	2584	explorer.exe	WScript.exe
PID 2584 wrote to memory of 2816	2584	explorer.exe	WScript.exe
PID 2584 wrote to memory of 1588	2584	explorer.exe	WScript.exe
PID 2584 wrote to memory of 1588	2584	explorer.exe	WScript.exe
PID 2584 wrote to memory of 1588	2584	explorer.exe	WScript.exe
PID 2816 wrote to memory of 3060	2816	WScript.exe	explorer.exe
PID 2816 wrote to memory of 3060	2816	WScript.exe	explorer.exe
PID 2816 wrote to memory of 3060	2816	WScript.exe	explorer.exe
PID 3060 wrote to memory of 2184	3060	explorer.exe	WScript.exe
PID 3060 wrote to memory of 2184	3060	explorer.exe	WScript.exe
PID 3060 wrote to memory of 2184	3060	explorer.exe	WScript.exe
PID 3060 wrote to memory of 948	3060	explorer.exe	WScript.exe
PID 3060 wrote to memory of 948	3060	explorer.exe	WScript.exe
PID 3060 wrote to memory of 948	3060	explorer.exe	WScript.exe
PID 2184 wrote to memory of 1556	2184	WScript.exe	explorer.exe
PID 2184 wrote to memory of 1556	2184	WScript.exe	explorer.exe
PID 2184 wrote to memory of 1556	2184	WScript.exe	explorer.exe
PID 1556 wrote to memory of 1368	1556	explorer.exe	WScript.exe
PID 1556 wrote to memory of 1368	1556	explorer.exe	WScript.exe
PID 1556 wrote to memory of 1368	1556	explorer.exe	WScript.exe
PID 1556 wrote to memory of 2456	1556	explorer.exe	WScript.exe
PID 1556 wrote to memory of 2456	1556	explorer.exe	WScript.exe
PID 1556 wrote to memory of 2456	1556	explorer.exe	WScript.exe
PID 1368 wrote to memory of 2324	1368	WScript.exe	explorer.exe

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exef72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
"C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lbKBZUlOPJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1788
- - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
    "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1528
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b08dfc9d-6f79-442a-963e-b89b8db420a6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2584
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a53cf1ee-1468-40ed-b971-510cccb7b5b8.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc5e684c-22dd-42b9-b9f2-d11c72dee333.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d30e4bb8-c221-440c-92f6-349e744da79f.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26c4432a-a684-45d7-b236-34eb3d9ece0d.vbs"
        12⤵
        
        PID:2744
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9eea631-03f6-4fca-8654-362b8f6504fa.vbs"
        14⤵
        
        PID:2260
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\868b8c9c-d711-467e-874c-4308a73ad27d.vbs"
        16⤵
        
        PID:892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86154059-66b2-419d-8d51-fcd761663a88.vbs"
        16⤵
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e255248-fb96-460c-b69c-3178881152f3.vbs"
        14⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ae0bf86-adde-47e3-9355-ea7d71978374.vbs"
        12⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cecbdfd-965c-4444-9808-d5620af19627.vbs"
        10⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df0b4075-f395-46fe-9a52-9942d08401cc.vbs"
        8⤵
        
        PID:948
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7316e24-f8c4-4b91-987b-ff1df9dc1ebc.vbs"
        6⤵
        
        PID:1588
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86ba2c36-7e89-4c39-ab8c-76a6309ac232.vbs"
      4⤵
      PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26c4432a-a684-45d7-b236-34eb3d9ece0d.vbs

Filesize
737B

MD5
d3f3d9cf125776f2b88ef1047a8c7927

SHA1
d3615b17f52fb0f6004b75b99300f69b8d201457

SHA256
8df88bac236d4f7b7ec27b5eda91c0f54834547cff6929ec814171338dfdb69d

SHA512
4e7f6e94d02b5cd9242c48221c08dc0d3bbb37e797e173b05a38ec45a9fcc2888425d6d41e5729b08c9c4b9243048655db097e000021744c8b13088da75862e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\868b8c9c-d711-467e-874c-4308a73ad27d.vbs

Filesize
737B

MD5
df014c54092e6525323e2b4470aff250

SHA1
878c08dddc2ad0f5b0dd120d5cb2eaf571895f05

SHA256
f4cb12e8e03d9a15cb644a6929a05320ac3152c33702bf781872fb99749fe2b9

SHA512
fd2b948c804697308c2398d9a2e1cf8c0d97d5f43c8dc6ed20cd106dbaa50c13e5bc80704bc363a03736ba220d3a870810629dd38db1bcfef64d9a4bd8a2d053

Download Submit
C:\Users\Admin\AppData\Local\Temp\86ba2c36-7e89-4c39-ab8c-76a6309ac232.vbs

Filesize
513B

MD5
25a2f6f8798bd3e951674c59666160ce

SHA1
7321fc7b1430353864efdd1fb36f209e7424c328

SHA256
296a791523f6b02f1ce5ef7ff0ace352209399aa72356bc653d3322fae9dacad

SHA512
3e75ccbdd62e9264d962bdf67c38d661ae2d845c4a4c7be7a25ac48738b6d1be54d251bbded246cbed1b1a89d267227c267dd8ba1a1a1f44fab6649c22f960b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a53cf1ee-1468-40ed-b971-510cccb7b5b8.vbs

Filesize
737B

MD5
69818f18b24c3a109fee2dbf480a8e9d

SHA1
512f22653ee63ba6aa132c94fe37f00ab55c2141

SHA256
b53312b086f4aa30018b147235b7aada63838e512332d3b1d2058b08d861dfb6

SHA512
cfd0d01b9392c047cc153c413f5e9cc3a5a76a8197fa4b82b0b6465a730ca53183a0cd1e3b25697a478b350c0bffe84d62a8a7d40f99984249489ba11fc08bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae3f6dc409a9f48fc6016c698b654b19c506ff76.exe

Filesize
1.8MB

MD5
88fbadcf3341fe8c415609ec35bc3df1

SHA1
5d9a97e866262cb3bdd0a1feba0f0850986d48bf

SHA256
047efe0069dfcd957884ab0f11a74cbe24ecfa12fada1f3ee89b2a1be1c94485

SHA512
5a8f3d1c18052fcb545700009e8a8740d59a2bf93ea33dbd04843d1ccaa84bd6a507339a6e27265753ae1dcfa2868c7700a97a05650ebeafd311407891ed728b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b08dfc9d-6f79-442a-963e-b89b8db420a6.vbs

Filesize
737B

MD5
f8f062ac51526654c8f9e3d393269634

SHA1
cc2f5e458b99f228c4d0975bb87d1d2e124c8f5b

SHA256
8bfcd682f07dcc1fc2e77a85114c511c377d1755a36e8d908437a4f287457a48

SHA512
e072c49901e7ca4067d19b09226168aa80954d780fa2b26f89039a5774af9c71e6aba196590a1f8f6a8beb1ed32ea21c57b8032d69cd9aa9808a783f125595d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9eea631-03f6-4fca-8654-362b8f6504fa.vbs

Filesize
737B

MD5
ad255fd9f92749a775187127bb310e80

SHA1
a1511e050068dd4aeffce2a6a581cdae50b81982

SHA256
09a89bbfbd8b6394160b026d938ed33727aa5089034ea49762e4ff1964aec002

SHA512
f61870fa75235434b095ff659fc518071c5f45ca6a4d2e2e5a6942aeef1e092f68c1b6ba8359129211d83cc27dc103076ba831f545019acc36e0671cd1ce240d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d30e4bb8-c221-440c-92f6-349e744da79f.vbs

Filesize
737B

MD5
a92fcad16a443e551671c6fa29eec5d3

SHA1
e7a6efaf828c4534acbce1d8d7d87233c0dd20e5

SHA256
137d9f1b0822743c45894bf41a3560ba29d43d395687e8b5a637a1420bdaed42

SHA512
54d90729e32d612de6ab34ce14b9b348c9e2d1d48989dc819cf6d8e0ef564b1ffd79aa3aea95b90a1f69d807fa3d0e647a8672642b84a8d5f6210311debf5cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc5e684c-22dd-42b9-b9f2-d11c72dee333.vbs

Filesize
737B

MD5
a122b1e79396057b6218c3ed7be40d18

SHA1
07b535149b09551e7b50cdb48857bbbefe61cd5e

SHA256
8effe1550fe2a33d720bbf50025756c4342e2f0679aecbf3defe022fd7f1323d

SHA512
527a6eb351d5fa2b5638f4bafbedb96bed52c086af70b9fcf5787cf8e2b38b80ee07ba41d92239b964ac3d33c53a7fbb3371f78c7e5bf73a33debde640e9a590

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbKBZUlOPJ.bat

Filesize
226B

MD5
3a5f3fdf28e084bad636075b1c97d178

SHA1
ef5f62039a4ca4e528ce395a26ce2dae9e0c5b9e

SHA256
0a262fed79cb4a518aa8f838f9f7adc4c3cde0dda502d78112890cf006ea38d4

SHA512
22f69db6b19f89e78dd9c82854f3683e55faeef6b2d03b20c41bfcddbb02b5a331880f14325a85d77b0dd7d7b9bcdbbc5603a1b5111ebfcc94c2c1f392ce37ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
999a2c92edd4774580282d8c8c86bb9c

SHA1
84abe9a52553fcc26dc400f739997ca343177256

SHA256
bbb731e51e6e63374cd9d90c0ca5bd24cd55e38d935338d49ebb2d5982eac8ff

SHA512
0c08d3924738b8daa795697781a8f9220a2169e58356096ead146dfc97447e7e0db4b52b38f0a4b652aedb88b1d7bbb0ddfc38766d45865afa190971a3788dba

Download Submit
C:\Users\Public\Videos\Sample Videos\WMIADAP.exe

Filesize
1.8MB

MD5
7582ed7a9f3ac0c15a2b7c81155d8b59

SHA1
0c0429b3d9f1acaeeffb7fd92946cab77d1be2f6

SHA256
f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077

SHA512
6be6568d2109397e266ce71014f503ec10bd38626146bb38f7955b6f360fccd4c05bad19ac5f94f3695427c595e9eda61079c01e6d156634978039c3749245a0

Download Submit
memory/1372-177-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/1372-176-0x0000000001030000-0x00000000011FE000-memory.dmp

Filesize
1.8MB

Download
memory/1528-118-0x0000000000770000-0x0000000000782000-memory.dmp

Filesize
72KB

Download
memory/1528-117-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/1528-116-0x0000000001250000-0x000000000141E000-memory.dmp

Filesize
1.8MB

Download
memory/1556-153-0x0000000000E50000-0x000000000101E000-memory.dmp

Filesize
1.8MB

Download
memory/2168-190-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2168-189-0x0000000001150000-0x000000000131E000-memory.dmp

Filesize
1.8MB

Download
memory/2320-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2320-10-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/2320-84-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2320-1-0x0000000000BA0000-0x0000000000D6E000-memory.dmp

Filesize
1.8MB

Download
memory/2320-11-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2320-9-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/2320-8-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2320-12-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2320-7-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2320-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/2320-6-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/2320-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/2320-15-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2320-4-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2320-3-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2320-14-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2320-13-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/2508-80-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2508-81-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2584-129-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/3060-141-0x0000000000080000-0x000000000024E000-memory.dmp

Filesize
1.8MB

Download