dcrat | f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Size

1.8MB
MD5

7582ed7a9f3ac0c15a2b7c81155d8b59
SHA1

0c0429b3d9f1acaeeffb7fd92946cab77d1be2f6
SHA256

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077
SHA512

6be6568d2109397e266ce71014f503ec10bd38626146bb38f7955b6f360fccd4c05bad19ac5f94f3695427c595e9eda61079c01e6d156634978039c3749245a0
SSDEEP

49152:OhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:OgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2412	schtasks.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1088-1-0x0000000001340000-0x000000000150E000-memory.dmp	dcrat
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\explorer.exe	dcrat
C:\Program Files\Uninstall Information\RCX37FB.tmp	dcrat
behavioral1/memory/2200-123-0x0000000000280000-0x000000000044E000-memory.dmp	dcrat
behavioral1/memory/1656-168-0x0000000000190000-0x000000000035E000-memory.dmp	dcrat
behavioral1/memory/1532-180-0x00000000011E0000-0x00000000013AE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1544	powershell.exe
548	powershell.exe
2684	powershell.exe
2440	powershell.exe
1268	powershell.exe
2004	powershell.exe
2008	powershell.exe
2044	powershell.exe
2852	powershell.exe
1536	powershell.exe

Executes dropped EXE 3 IoCs

Processes:

OSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

pid process

2200 OSPPSVC.exe
1656 OSPPSVC.exe
1532 OSPPSVC.exe

pid	process
2200	OSPPSVC.exe
1656	OSPPSVC.exe
1532	OSPPSVC.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe

Drops file in Program Files directory 24 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

description	ioc	process
File created	C:\Program Files\Internet Explorer\dwm.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files\7-Zip\Lang\OSPPSVC.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\explorer.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\7a0fd90576e088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\OSPPSVC.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX26C3.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files\Internet Explorer\dwm.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX2D7A.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files\Internet Explorer\RCX2B77.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files\7-Zip\Lang\1610b97d3ab4a7	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\1610b97d3ab4a7	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RCX2F7E.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\RCX358A.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\OSPPSVC.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\explorer.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX37FB.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files\7-Zip\Lang\OSPPSVC.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files\Internet Explorer\6cb0b6c459d5d3	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files\Uninstall Information\lsass.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\5940a34987c991	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2104	schtasks.exe
1920	schtasks.exe
1108	schtasks.exe
3052	schtasks.exe
308	schtasks.exe
348	schtasks.exe
1212	schtasks.exe
840	schtasks.exe
1928	schtasks.exe
2968	schtasks.exe
584	schtasks.exe
2036	schtasks.exe
2904	schtasks.exe
2532	schtasks.exe
2196	schtasks.exe
2584	schtasks.exe
2648	schtasks.exe
1184	schtasks.exe
2424	schtasks.exe
760	schtasks.exe
2460	schtasks.exe
2080	schtasks.exe
1908	schtasks.exe
2752	schtasks.exe
2644	schtasks.exe
2264	schtasks.exe
2248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOSPPSVC.exeOSPPSVC.exeOSPPSVC.exe

pid	process
1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
1544	powershell.exe
2852	powershell.exe
2004	powershell.exe
548	powershell.exe
1536	powershell.exe
2440	powershell.exe
2684	powershell.exe
1268	powershell.exe
2044	powershell.exe
2008	powershell.exe
2200	OSPPSVC.exe
1656	OSPPSVC.exe
1532	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2200	OSPPSVC.exe
Token: SeDebugPrivilege	1656	OSPPSVC.exe
Token: SeDebugPrivilege	1532	OSPPSVC.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeOSPPSVC.exeWScript.exeOSPPSVC.exeWScript.exeOSPPSVC.exe

description	pid	process	target process
PID 1088 wrote to memory of 548	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 548	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 548	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2684	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2684	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2684	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 1536	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 1536	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 1536	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 1544	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 1544	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 1544	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2852	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2852	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2852	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2440	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2440	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2440	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2044	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2044	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2044	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2008	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2008	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2008	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2004	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2004	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2004	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 1268	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 1268	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 1268	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 1088 wrote to memory of 2200	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	OSPPSVC.exe
PID 1088 wrote to memory of 2200	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	OSPPSVC.exe
PID 1088 wrote to memory of 2200	1088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	OSPPSVC.exe
PID 2200 wrote to memory of 1824	2200	OSPPSVC.exe	WScript.exe
PID 2200 wrote to memory of 1824	2200	OSPPSVC.exe	WScript.exe
PID 2200 wrote to memory of 1824	2200	OSPPSVC.exe	WScript.exe
PID 2200 wrote to memory of 2460	2200	OSPPSVC.exe	WScript.exe
PID 2200 wrote to memory of 2460	2200	OSPPSVC.exe	WScript.exe
PID 2200 wrote to memory of 2460	2200	OSPPSVC.exe	WScript.exe
PID 1824 wrote to memory of 1656	1824	WScript.exe	OSPPSVC.exe
PID 1824 wrote to memory of 1656	1824	WScript.exe	OSPPSVC.exe
PID 1824 wrote to memory of 1656	1824	WScript.exe	OSPPSVC.exe
PID 1656 wrote to memory of 2568	1656	OSPPSVC.exe	WScript.exe
PID 1656 wrote to memory of 2568	1656	OSPPSVC.exe	WScript.exe
PID 1656 wrote to memory of 2568	1656	OSPPSVC.exe	WScript.exe
PID 1656 wrote to memory of 444	1656	OSPPSVC.exe	WScript.exe
PID 1656 wrote to memory of 444	1656	OSPPSVC.exe	WScript.exe
PID 1656 wrote to memory of 444	1656	OSPPSVC.exe	WScript.exe
PID 2568 wrote to memory of 1532	2568	WScript.exe	OSPPSVC.exe
PID 2568 wrote to memory of 1532	2568	WScript.exe	OSPPSVC.exe
PID 2568 wrote to memory of 1532	2568	WScript.exe	OSPPSVC.exe
PID 1532 wrote to memory of 2948	1532	OSPPSVC.exe	WScript.exe
PID 1532 wrote to memory of 2948	1532	OSPPSVC.exe	WScript.exe
PID 1532 wrote to memory of 2948	1532	OSPPSVC.exe	WScript.exe
PID 1532 wrote to memory of 2844	1532	OSPPSVC.exe	WScript.exe
PID 1532 wrote to memory of 2844	1532	OSPPSVC.exe	WScript.exe
PID 1532 wrote to memory of 2844	1532	OSPPSVC.exe	WScript.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

OSPPSVC.exef72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeOSPPSVC.exeOSPPSVC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
"C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Program Files\7-Zip\Lang\OSPPSVC.exe
  "C:\Program Files\7-Zip\Lang\OSPPSVC.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2200
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcb3be21-e78c-4acd-964c-55962f2f6c70.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Program Files\7-Zip\Lang\OSPPSVC.exe
      "C:\Program Files\7-Zip\Lang\OSPPSVC.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1656
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12302323-f79b-4565-9ec1-669316cfe4d7.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Program Files\7-Zip\Lang\OSPPSVC.exe
        
        "C:\Program Files\7-Zip\Lang\OSPPSVC.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34693eda-c0b6-49c5-ad1a-b6d142b78736.vbs"
        7⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a3b9241-c017-40cf-8c99-fbc9e9515a43.vbs"
        7⤵
        
        PID:2844
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cc7254d-50cf-4675-aace-d76707187aa8.vbs"
        5⤵
        
        PID:444
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d707882f-5d56-4ae2-af17-aa1c176362f5.vbs"
    3⤵
    PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\explorer.exe

Filesize
1.8MB

MD5
7582ed7a9f3ac0c15a2b7c81155d8b59

SHA1
0c0429b3d9f1acaeeffb7fd92946cab77d1be2f6

SHA256
f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077

SHA512
6be6568d2109397e266ce71014f503ec10bd38626146bb38f7955b6f360fccd4c05bad19ac5f94f3695427c595e9eda61079c01e6d156634978039c3749245a0

Download Submit
C:\Program Files\Uninstall Information\RCX37FB.tmp

Filesize
1.8MB

MD5
9c5ba6aa6ad7c8ab6651d37f09bd1a56

SHA1
7025a76a962a1b5b37ba0159294f6a47783ff9f3

SHA256
833a4a51e115f786021d73ff6fe1272b0c78a63189185c9481c5f05f13578a0a

SHA512
7208a885c1219ce3a399c2b508164a4b433231513630726008a0b24cc12ede9fa65362af653a58b2cda316ac080f513ea72f9d5dd73342fead3950401294b08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\12302323-f79b-4565-9ec1-669316cfe4d7.vbs

Filesize
715B

MD5
651586844fe602f72a73da0320a9a321

SHA1
e7ed3e123d99daa12d8fd848b6842376ff148206

SHA256
da1fdd7809491c825eb1b8497c9770f36b3b54d75390180f74f02ceb8937864d

SHA512
6f9a183fb8c7f6108c577f5437651ceeac5ee08416ab96b13839c9862dee479cf3c19119f2508cbb0fd57292f5ea1bf9265ecd10dcbc42e1ccde8ee800225cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\34693eda-c0b6-49c5-ad1a-b6d142b78736.vbs

Filesize
715B

MD5
b3f52c2bd48efa05b6efa4af806c3267

SHA1
954451fe2b74a2215f73c2d0788679e7786eca1c

SHA256
c6762a7fe4883efcc7b58f6def0b73f22881f18ddb2c179cc15a0974ddd0db29

SHA512
2c3125f0dfb646313e2c709350a2cb77ac906ceba97b0b521e1f206525838967b12c27bea7c761ab7a362acfc5e463dfc805b3e66b24e38d18dbcf90daf75049

Download Submit
C:\Users\Admin\AppData\Local\Temp\d707882f-5d56-4ae2-af17-aa1c176362f5.vbs

Filesize
491B

MD5
09be6b3ee19723c7c8e6aba3916f6980

SHA1
0effbc20850de2df5ca413ac5e12c8c71ddc90de

SHA256
d5c1ab3aeb61e170468ae6b46d2ab1400570ad9920f13727d7ded0e3c3c7687a

SHA512
517479f5abbdfa9d5e3ecd0e55a6dfacc906ae833ff6061570003e137285bf622e5ad505b54a7a89fc0d7761c3425c5192f4d92a4716b94d741c181cc9a6810a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcb3be21-e78c-4acd-964c-55962f2f6c70.vbs

Filesize
715B

MD5
09064eea1e98cb0ca7ec3ef0bb996dad

SHA1
e8680ec2fc5cdc0381451ce8c22af8d032df66c9

SHA256
5b579e26f506de874a26b0d9a123a7fae551034a5d1221469f1d3f89a4a03c5f

SHA512
5ce2e428cb5f1742d9268c38b4c8cf3b3af5e09dcfc3d22ad7909ad93e1649e192bebc26080b56bb53eab75cf6ed17508121f34455d657f87b0f93b5a82b24f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f24da80cb277761e5a0e580c2a12f865

SHA1
52886034179d29794123a91f643c315417a4251b

SHA256
c215c99af4b0a39ab079905043defa46f714c539dad9bcad6d725854885836f3

SHA512
16ceca1984f13abb50ff98d1c53724f17247a356eb7bb32abe632bf8407edf2022e8e3bf09f3c86ee27c3a554980d76d1a16c1a2c3a62b6148b298628504eed7

Download Submit
memory/1088-14-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/1088-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1088-9-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/1088-10-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1088-11-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1088-12-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/1088-13-0x0000000000B50000-0x0000000000B5E000-memory.dmp

Filesize
56KB

Download
memory/1088-0-0x000007FEF5063000-0x000007FEF5064000-memory.dmp

Filesize
4KB

Download
memory/1088-15-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/1088-7-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/1088-6-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/1088-8-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/1088-1-0x0000000001340000-0x000000000150E000-memory.dmp

Filesize
1.8MB

Download
memory/1088-141-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1088-2-0x000007FEF5060000-0x000007FEF5A4C000-memory.dmp

Filesize
9.9MB

Download
memory/1088-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1088-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1532-180-0x00000000011E0000-0x00000000013AE000-memory.dmp

Filesize
1.8MB

Download
memory/1532-181-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1544-126-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1656-168-0x0000000000190000-0x000000000035E000-memory.dmp

Filesize
1.8MB

Download
memory/2200-157-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/2200-123-0x0000000000280000-0x000000000044E000-memory.dmp

Filesize
1.8MB

Download
memory/2852-125-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download