dcrat | 4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066

Analysis

max time kernel
115s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
Size

4.9MB
MD5

9cdaf0a42d931f27c53a40177dbdc0c0
SHA1

9c08f0892d361660011ec390adc4c84f8d8489a5
SHA256

4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066
SHA512

99493e2cc5c0af643bc6fd877030f70f8a46918e36e5eb16637af52b582aa998a3131b7763156e3bea26a35e26f72e29cc87652654af948d682bf80dc7066a23
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2676	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2676	schtasks.exe	31

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1976-3-0x000000001B390000-0x000000001B4BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
984	powershell.exe
1316	powershell.exe
2100	powershell.exe
2420	powershell.exe
3044	powershell.exe
2320	powershell.exe
972	powershell.exe
2448	powershell.exe
1496	powershell.exe
1028	powershell.exe
2460	powershell.exe
3060	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
2884	lsass.exe
2312	lsass.exe
2944	lsass.exe
2780	lsass.exe
680	lsass.exe
1328	lsass.exe
2768	lsass.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Stationery\csrss.exe	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\cc11b995f2a76d	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\sppsvc.exe	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\csrss.exe	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RCXF235.tmp	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\sppsvc.exe	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\886983d96e3d3e	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\RCXE7A5.tmp	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\RCXEA16.tmp	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\0a1fd5f707cd16	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Registration\CRMLog\RCXF66B.tmp	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File opened for modification	C:\Windows\Registration\CRMLog\System.exe	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File created	C:\Windows\Offline Web Pages\WMIADAP.exe	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File created	C:\Windows\Offline Web Pages\75a57c1bdf437c	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File created	C:\Windows\Registration\CRMLog\System.exe	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File created	C:\Windows\Registration\CRMLog\27d1bcfc3c54e0	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXE5A1.tmp	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
File opened for modification	C:\Windows\Offline Web Pages\WMIADAP.exe	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2740	schtasks.exe
2700	schtasks.exe
2532	schtasks.exe
2588	schtasks.exe
1784	schtasks.exe
1644	schtasks.exe
2184	schtasks.exe
2792	schtasks.exe
1340	schtasks.exe
1124	schtasks.exe
2840	schtasks.exe
1288	schtasks.exe
2836	schtasks.exe
1176	schtasks.exe
2904	schtasks.exe
2912	schtasks.exe
2656	schtasks.exe
1528	schtasks.exe
2852	schtasks.exe
2212	schtasks.exe
1916	schtasks.exe
2764	schtasks.exe
2032	schtasks.exe
1948	schtasks.exe
1300	schtasks.exe
2584	schtasks.exe
2888	schtasks.exe
2964	schtasks.exe
1776	schtasks.exe
2748	schtasks.exe
1768	schtasks.exe
1196	schtasks.exe
2356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
2460	powershell.exe
2100	powershell.exe
1496	powershell.exe
3044	powershell.exe
2448	powershell.exe
1316	powershell.exe
3060	powershell.exe
972	powershell.exe
2420	powershell.exe
1028	powershell.exe
984	powershell.exe
2884	lsass.exe
2312	lsass.exe
2944	lsass.exe
2780	lsass.exe
680	lsass.exe
1328	lsass.exe
2768	lsass.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	2884	lsass.exe
Token: SeDebugPrivilege	2312	lsass.exe
Token: SeDebugPrivilege	2944	lsass.exe
Token: SeDebugPrivilege	2780	lsass.exe
Token: SeDebugPrivilege	680	lsass.exe
Token: SeDebugPrivilege	1328	lsass.exe
Token: SeDebugPrivilege	2768	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 3044	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	65
PID 1976 wrote to memory of 3044	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	65
PID 1976 wrote to memory of 3044	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	65
PID 1976 wrote to memory of 3060	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	66
PID 1976 wrote to memory of 3060	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	66
PID 1976 wrote to memory of 3060	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	66
PID 1976 wrote to memory of 2420	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	67
PID 1976 wrote to memory of 2420	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	67
PID 1976 wrote to memory of 2420	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	67
PID 1976 wrote to memory of 984	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	68
PID 1976 wrote to memory of 984	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	68
PID 1976 wrote to memory of 984	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	68
PID 1976 wrote to memory of 2460	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	70
PID 1976 wrote to memory of 2460	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	70
PID 1976 wrote to memory of 2460	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	70
PID 1976 wrote to memory of 1316	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	71
PID 1976 wrote to memory of 1316	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	71
PID 1976 wrote to memory of 1316	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	71
PID 1976 wrote to memory of 1028	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	72
PID 1976 wrote to memory of 1028	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	72
PID 1976 wrote to memory of 1028	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	72
PID 1976 wrote to memory of 1496	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	75
PID 1976 wrote to memory of 1496	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	75
PID 1976 wrote to memory of 1496	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	75
PID 1976 wrote to memory of 2100	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	76
PID 1976 wrote to memory of 2100	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	76
PID 1976 wrote to memory of 2100	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	76
PID 1976 wrote to memory of 2448	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	77
PID 1976 wrote to memory of 2448	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	77
PID 1976 wrote to memory of 2448	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	77
PID 1976 wrote to memory of 972	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	78
PID 1976 wrote to memory of 972	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	78
PID 1976 wrote to memory of 972	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	78
PID 1976 wrote to memory of 2320	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	79
PID 1976 wrote to memory of 2320	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	79
PID 1976 wrote to memory of 2320	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	79
PID 1976 wrote to memory of 2884	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	89
PID 1976 wrote to memory of 2884	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	89
PID 1976 wrote to memory of 2884	1976	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe	89
PID 2884 wrote to memory of 2056	2884	lsass.exe	90
PID 2884 wrote to memory of 2056	2884	lsass.exe	90
PID 2884 wrote to memory of 2056	2884	lsass.exe	90
PID 2884 wrote to memory of 1672	2884	lsass.exe	91
PID 2884 wrote to memory of 1672	2884	lsass.exe	91
PID 2884 wrote to memory of 1672	2884	lsass.exe	91
PID 2056 wrote to memory of 2312	2056	WScript.exe	92
PID 2056 wrote to memory of 2312	2056	WScript.exe	92
PID 2056 wrote to memory of 2312	2056	WScript.exe	92
PID 2312 wrote to memory of 1080	2312	lsass.exe	93
PID 2312 wrote to memory of 1080	2312	lsass.exe	93
PID 2312 wrote to memory of 1080	2312	lsass.exe	93
PID 2312 wrote to memory of 2924	2312	lsass.exe	94
PID 2312 wrote to memory of 2924	2312	lsass.exe	94
PID 2312 wrote to memory of 2924	2312	lsass.exe	94
PID 1080 wrote to memory of 2944	1080	WScript.exe	95
PID 1080 wrote to memory of 2944	1080	WScript.exe	95
PID 1080 wrote to memory of 2944	1080	WScript.exe	95
PID 2944 wrote to memory of 2380	2944	lsass.exe	96
PID 2944 wrote to memory of 2380	2944	lsass.exe	96
PID 2944 wrote to memory of 2380	2944	lsass.exe	96
PID 2944 wrote to memory of 2096	2944	lsass.exe	97
PID 2944 wrote to memory of 2096	2944	lsass.exe	97
PID 2944 wrote to memory of 2096	2944	lsass.exe	97
PID 2380 wrote to memory of 2780	2380	WScript.exe	98

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsass.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe
"C:\Users\Admin\AppData\Local\Temp\4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2320
- C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe
  "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2884
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91dceb33-f489-4231-9d4f-0c70e948d74e.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe
      "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2312
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c0df8d4-bae1-490b-966e-3cb3c12e5abe.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
      - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3398e527-8cc1-4d2e-b85b-a40ea8cb3170.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\226862cc-fe26-433d-9cb2-6daca622ccae.vbs"
        9⤵
        
        PID:1960
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6e2fb5f-9d4e-4f89-95d5-dd3ce8d026bd.vbs"
        11⤵
        
        PID:2128
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d56b262-9ada-41e5-be1f-2c7945b90411.vbs"
        13⤵
        
        PID:2168
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\950642a2-0fa7-4917-a7fa-5c116e6418ed.vbs"
        15⤵
        
        PID:2160
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe"
        16⤵
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83b60b2a-71d2-430e-bcf7-d8409205e289.vbs"
        17⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98bbef89-7a75-486d-a34e-775ecade5960.vbs"
        17⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cccede4-cc12-4e76-a67d-c3157e0c3465.vbs"
        15⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd03a88c-d425-4df8-ab5e-2ebd4a826198.vbs"
        13⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15d644b7-0dcf-402e-b480-7b3df4958b59.vbs"
        11⤵
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f256c907-2000-4810-aa3d-8584adc86c7f.vbs"
        9⤵
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84a6b8b6-92aa-4365-be36-ef1a441ee594.vbs"
        7⤵
        
        PID:2096
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89b5d664-e24f-43ff-a027-0f8134345254.vbs"
        5⤵
        
        PID:2924
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb4b05e3-dd3e-4f15-883b-a581b49c5f4f.vbs"
    3⤵
    PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Sample Music\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe

Filesize
4.9MB

MD5
9cdaf0a42d931f27c53a40177dbdc0c0

SHA1
9c08f0892d361660011ec390adc4c84f8d8489a5

SHA256
4176a6d6669707861816ccbdbc7a81ab000bd2853dfdeaec1f40865fb5405066

SHA512
99493e2cc5c0af643bc6fd877030f70f8a46918e36e5eb16637af52b582aa998a3131b7763156e3bea26a35e26f72e29cc87652654af948d682bf80dc7066a23

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe

Filesize
1.5MB

MD5
9c42b1e66168aaa8385d9042acf48e71

SHA1
7451c54850585baba1f73aa383bb0ce271888a08

SHA256
a8220e8ab457209a0bfd3c5de080f5a67a4b63443343b6f2a64c4888c1ab7222

SHA512
f4bf52b40b0094ba09934323276a2ed1ccd5e9e1689e22259ecee20b4fc5ee546a04ec591992466c824cb33535c6a8692bb9a433d1d2a261acf123c4a8e5a80c

Download Submit
C:\Program Files (x86)\Microsoft Office\Stationery\RCXEA16.tmp

Filesize
4.9MB

MD5
82c227938f68f65e98b5e3e849e77467

SHA1
85b9f8f02cfbd458ab96bf2b6e79891724f0ec01

SHA256
35866593c65634d7dbd400cf737afc9c11f9276f004aa92fff8bc89e52b15834

SHA512
c5b979d556d29fddce8545f158dcd2cc0160c84815847c3163ec7394d1210fa78f56eed26d11dd2e2387ec546188d3986b6df87cc84314b21f913a388329b07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d56b262-9ada-41e5-be1f-2c7945b90411.vbs

Filesize
748B

MD5
591fdf061953d1b857aee7001d3892c2

SHA1
502c60d9f679cb8f3887b1b590355009490231d1

SHA256
23c02d7f985898c803503fefc23741ff91bac416bd85923fdb8d3c6d829999c6

SHA512
60e6da17d1b5f2cdbdde18da0c6dd94bbea2e30ac53dd9510fe3f25f6cc30940479a5723b919c7f7f0db8b598f2ff81ccc3df0eae5332f23da39039c79e1df46

Download Submit
C:\Users\Admin\AppData\Local\Temp\226862cc-fe26-433d-9cb2-6daca622ccae.vbs

Filesize
748B

MD5
63f73caa1f66dc29e898b7170eb05a06

SHA1
681dac8e330ec3c59cceb2887a1bd12b97a2340a

SHA256
79e02ce9a94c9dd1088d2dd32ccfcf38695ea25eaa364231d78460119b8930d7

SHA512
73008d0616139898cd84b28bd523aebcbff4f21157dc85ca972b143abccdce4fc43d6d0f0d40d0abda9db76177ac79565a49062f8498028871c625d088514f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3398e527-8cc1-4d2e-b85b-a40ea8cb3170.vbs

Filesize
748B

MD5
cc5be6919731b5cc496ce17e3437385f

SHA1
ceb495b4233d97fcdb93bfa4b7169c928570d6c9

SHA256
7e28965d0ae0bd560a6ebab6433ed947b3e458da29b2544ae6f95b570ba463c6

SHA512
56853aa8c80c25e67026939ef06425132318b3e792a55fa44be47eedbb04177a93dd28cf30faa221b72ebc0023932e37d41b60094d31fa620b80edbf1c627f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\64d4e8ccf489ae3286332e24d7cacae58b7aad22.exe

Filesize
660KB

MD5
cff4d9add96ca9e08457f8aca238dbda

SHA1
2d6cd5137d9112378288896f3943eac381ba550d

SHA256
01591d2b1a43e14de05e348d8ae7d1ef5153bafe7c6f000883ce027d879593e7

SHA512
31fa928ef6b59b4927c7bdb19a68fad5e3dece1be759eb814fca795fffd15119e105e5de29ad198caf5ef31fdb6be22f8d21ef1e7c2ca3d1209776bff82214d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c0df8d4-bae1-490b-966e-3cb3c12e5abe.vbs

Filesize
748B

MD5
46480a235806997b6b5ed2387e6d3c27

SHA1
283890b2e3e0481783f9ca018a59f3e2139e3131

SHA256
8fee5c8dd91e97759e571536ec750428bfbb4b781e97c2bae2ed99ed6a76af59

SHA512
b574a63c01cfb38c682cd3cbc37ab49220d80e0f3186f8e584c4415b86ba8e04b53088f53f3a37c051605f632f6f61f6501b71325af54776ceb0898de0d41abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\83b60b2a-71d2-430e-bcf7-d8409205e289.vbs

Filesize
748B

MD5
94f008413bfbd631cf8c2adec5db1f2a

SHA1
b5552d25159ccc6dc137fbc664a72cc0fd696ccb

SHA256
e72da01a2a0aa0bdee06c98db592e41d09f89d6bfa4106ff5a7642f1dfc76768

SHA512
06c2dd3186ba92f7e5156e383f80b37c1828a7af0ff94859819a2e8b2884b1a5764fb8f17ebcda03bb683f3d3f5ed6b5e107d6b8d7c09292f41acef76f7e83b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\91dceb33-f489-4231-9d4f-0c70e948d74e.vbs

Filesize
748B

MD5
63c2bab8f75afd51bd4de03295717747

SHA1
a844dbaada141e22444b67fd2ec654ba04916735

SHA256
d3ab7bbef06bc3a67d2cad8f64e8038defba93305fc94e57181211e466cd2b80

SHA512
14733e5e01416d88206f644675a2f886309d7a0abc68f7b24c38fb13e259253d3168c8b942b569b3e5d361356130bd204ce3c7e81b483a2d10c5bfac07be3626

Download Submit
C:\Users\Admin\AppData\Local\Temp\950642a2-0fa7-4917-a7fa-5c116e6418ed.vbs

Filesize
748B

MD5
54fb9fe2793acf3d6641e9426ebdd356

SHA1
a0f8ba08c159563886fc57b17677961a4f3f9e71

SHA256
05f7832b86960cd6fd393ea2d540cfe409efc0da627929fbf5035c1feb2295ac

SHA512
8b5a5fa24451bd2640c487713e1198b70bc93e267832757dd22d297ef103560476c14dbcdc32819b27e900b3cb9170feac7f56a3cb5014f0d3cb1e4f7b0ad0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6e2fb5f-9d4e-4f89-95d5-dd3ce8d026bd.vbs

Filesize
747B

MD5
1cf556184ee7c76ba341d3ad3f9496a4

SHA1
dbd5f54ad82f8726489fe19023f13c9c181b7332

SHA256
8637eec1b095d6bcc7821a6c1c8d8e156128eaf425a42ebd6988c26772bcace7

SHA512
c0cacc0d8b8ea141dee1f0df996c4194bd31b521df361243331d551cf03394fde785f751f87e264ec1c9a3bfbcfa1d25968b672b61ff118f89620a705eba5c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb4b05e3-dd3e-4f15-883b-a581b49c5f4f.vbs

Filesize
524B

MD5
fc2c9f115e644660523a2a4c67325c5d

SHA1
84158ab123c34a45caf5c01ed4198ae5341781fd

SHA256
019d36ef30871e2ad0a4efce173ffb992a1202da44ac9bf2755a12ab5fdcd245

SHA512
2f39cd78eef0a6249bfc4227380b2357b1fbfd107ca92fd2f859c3dbffe02e3b03cce067011e2d5142fea64c8dbb0d1a2e7603a3a3477e067c5a04a0e59e32f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp944.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
33d5d626f1a06a839d833c81c2ba42ac

SHA1
43364d57c3e12a9e902e5fcecfb34bb5f3fbf86c

SHA256
717c941dc6a03f09589ea0dbce81a37605d7b4caa75e42fbb6abc251cd4e639f

SHA512
cf5ae7f7af21aae0589ea6d73f6ccc8d51260251f37aef008850ce95c3c501e3feb0f20936e45c6a2c2c7f294b5f6d5e2cf344c94ebb56699fea159ddb8dcafb

Download Submit
memory/1976-3-0x000000001B390000-0x000000001B4BE000-memory.dmp

Filesize
1.2MB

Download
memory/1976-14-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/1976-12-0x0000000000DF0000-0x0000000000DFE000-memory.dmp

Filesize
56KB

Download
memory/1976-11-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/1976-1-0x0000000000FD0000-0x00000000014C4000-memory.dmp

Filesize
5.0MB

Download
memory/1976-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/1976-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-154-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/1976-6-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/1976-16-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/1976-13-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/1976-10-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download
memory/1976-15-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/1976-9-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/1976-4-0x0000000000AC0000-0x0000000000ADC000-memory.dmp

Filesize
112KB

Download
memory/1976-8-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1976-7-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/1976-5-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2312-193-0x00000000012B0000-0x00000000017A4000-memory.dmp

Filesize
5.0MB

Download
memory/2460-134-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2460-135-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2768-265-0x0000000000350000-0x0000000000844000-memory.dmp

Filesize
5.0MB

Download
memory/2876-280-0x00000000000A0000-0x0000000000594000-memory.dmp

Filesize
5.0MB

Download
memory/2884-127-0x0000000000380000-0x0000000000874000-memory.dmp

Filesize
5.0MB

Download
memory/2944-208-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download