dcrat | e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f8def1aecbdb57d595fdb2520dc7009.exe
Size

1.8MB
MD5

6f8def1aecbdb57d595fdb2520dc7009
SHA1

117dedc36c0146a0557e191ac78f22dc61c96b74
SHA256

e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed
SHA512

a929f473cbd7a3c3e8d494ccb472ee75e0ca5915ff965bc95020b5b5df24205505601337dcaf0e5750ed441c5293e3b91b8bca4813e577d5ef350a9aaa7a28c7
SSDEEP

49152:5WqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:jKKZ1sRD2Q3N5MT4r

Score

10^/10

dcrat discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	2448	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2448	schtasks.exe	82

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2156-1-0x0000000000650000-0x000000000081C000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca2-32.dat	dcrat
behavioral2/files/0x000a000000023cb2-65.dat	dcrat
behavioral2/files/0x0009000000023c94-76.dat	dcrat
behavioral2/files/0x0009000000023c98-87.dat	dcrat
behavioral2/files/0x0009000000023c9e-99.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4120	powershell.exe
3312	powershell.exe
2324	powershell.exe
5064	powershell.exe
2080	powershell.exe
1864	powershell.exe
3064	powershell.exe
2052	powershell.exe
1008	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	6f8def1aecbdb57d595fdb2520dc7009.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 1 IoCs

pid	Process
4792	csrss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXDCBF.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files\Windows Defender\fontdrvhost.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files\Windows Defender\5b884080fd4f94	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files\Crashpad\OfficeClickToRun.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\Windows Defender\RCXD47A.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\sppsvc.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\Crashpad\OfficeClickToRun.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files\Crashpad\e6c9b481da804f	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\Windows Defender\fontdrvhost.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\Crashpad\RCXD73C.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\Crashpad\RCXD7BA.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCXDC41.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files\Windows Multimedia Platform\sppsvc.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\Windows Defender\RCXD4F8.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\DiagTrack\Scenarios\6203df4a6bafc7	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Windows\WinSxS\amd64_microsoft.csharp.resources_b03f5f7f11d50a3a_4.0.15805.0_ja-jp_7547c0329667ba97\fontdrvhost.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\RCXD256.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\RCXD266.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Windows\DiagTrack\Scenarios\lsass.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Windows\DiagTrack\Scenarios\lsass.exe	6f8def1aecbdb57d595fdb2520dc7009.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6f8def1aecbdb57d595fdb2520dc7009.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1176	schtasks.exe
4032	schtasks.exe
552	schtasks.exe
4072	schtasks.exe
3572	schtasks.exe
2728	schtasks.exe
4544	schtasks.exe
1580	schtasks.exe
2520	schtasks.exe
2480	schtasks.exe
2032	schtasks.exe
4012	schtasks.exe
60	schtasks.exe
4652	schtasks.exe
4636	schtasks.exe
4464	schtasks.exe
4204	schtasks.exe
4212	schtasks.exe
4672	schtasks.exe
4788	schtasks.exe
3052	schtasks.exe
3568	schtasks.exe
3680	schtasks.exe
4936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2052	powershell.exe
2052	powershell.exe
4120	powershell.exe
4120	powershell.exe
1008	powershell.exe
3312	powershell.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
3064	powershell.exe
2080	powershell.exe
2080	powershell.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe
5064	powershell.exe
5064	powershell.exe
2324	powershell.exe
2324	powershell.exe
5064	powershell.exe
1864	powershell.exe
1864	powershell.exe
4120	powershell.exe
3064	powershell.exe
3064	powershell.exe
1008	powershell.exe
1008	powershell.exe
2052	powershell.exe
3312	powershell.exe
3312	powershell.exe
2156	6f8def1aecbdb57d595fdb2520dc7009.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4792	csrss.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	6f8def1aecbdb57d595fdb2520dc7009.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	4792	csrss.exe
Token: SeBackupPrivilege	3164	vssvc.exe
Token: SeRestorePrivilege	3164	vssvc.exe
Token: SeAuditPrivilege	3164	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1864	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	108
PID 2156 wrote to memory of 1864	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	108
PID 2156 wrote to memory of 3064	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	109
PID 2156 wrote to memory of 3064	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	109
PID 2156 wrote to memory of 4120	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	110
PID 2156 wrote to memory of 4120	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	110
PID 2156 wrote to memory of 5064	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	111
PID 2156 wrote to memory of 5064	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	111
PID 2156 wrote to memory of 2080	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	112
PID 2156 wrote to memory of 2080	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	112
PID 2156 wrote to memory of 1008	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	113
PID 2156 wrote to memory of 1008	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	113
PID 2156 wrote to memory of 2324	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	114
PID 2156 wrote to memory of 2324	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	114
PID 2156 wrote to memory of 3312	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	115
PID 2156 wrote to memory of 3312	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	115
PID 2156 wrote to memory of 2052	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	117
PID 2156 wrote to memory of 2052	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	117
PID 2156 wrote to memory of 4792	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	126
PID 2156 wrote to memory of 4792	2156	6f8def1aecbdb57d595fdb2520dc7009.exe	126
PID 4792 wrote to memory of 452	4792	csrss.exe	131
PID 4792 wrote to memory of 452	4792	csrss.exe	131
PID 4792 wrote to memory of 4032	4792	csrss.exe	132
PID 4792 wrote to memory of 4032	4792	csrss.exe	132
PID 4792 wrote to memory of 3544	4792	csrss.exe	145
PID 4792 wrote to memory of 3544	4792	csrss.exe	145
PID 3544 wrote to memory of 2152	3544	msedge.exe	146
PID 3544 wrote to memory of 2152	3544	msedge.exe	146
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147
PID 3544 wrote to memory of 2012	3544	msedge.exe	147

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6f8def1aecbdb57d595fdb2520dc7009.exe
"C:\Users\Admin\AppData\Local\Temp\6f8def1aecbdb57d595fdb2520dc7009.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f8def1aecbdb57d595fdb2520dc7009.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DiagTrack\Scenarios\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Users\Default\Templates\csrss.exe
  "C:\Users\Default\Templates\csrss.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4792
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3406c07-36fa-448e-8430-658a42a7cfc5.vbs"
    3⤵
    PID:452
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\588a39a8-9248-446a-b78e-131646d3df40.vbs"
    3⤵
    PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13647/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84ede46f8,0x7ff84ede4708,0x7ff84ede4718
      4⤵
      PID:2152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:2012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
      4⤵
      PID:1748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
      4⤵
      PID:2512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:1972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:1784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
      4⤵
      PID:2940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
      4⤵
      PID:2644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
      4⤵
      PID:1520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
      4⤵
      PID:4736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
      4⤵
      PID:1844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
      4⤵
      PID:5184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
      4⤵
      PID:5316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
      4⤵
      PID:5748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
      4⤵
      PID:5420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4814552953903701794,16270288908484532410,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6136 /prefetch:2
      4⤵
      PID:5524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\DiagTrack\Scenarios\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Scenarios\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Scenarios\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Crashpad\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Favorites\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Crashpad\OfficeClickToRun.exe

Filesize
1.8MB

MD5
f2e6952ed6d8403c0efa9978ce7b1237

SHA1
00eb80a40177dbd7a5b5712fcec60cc8080327f3

SHA256
9adaf4b6466358fa728e215f9aa7e14658dd79ce21a3446e5e3cffe5a1bcbf4b

SHA512
e29e5ca472a988a949fdaac71058f84a548a99466c6a632da45fc2777bc6826de57bb278ae263673197b1e0fb560a1297827ca754a29e390a37bd63146715c54

Download Submit
C:\Program Files\Windows Defender\fontdrvhost.exe

Filesize
1.8MB

MD5
41462c2c251c433f1f5498e90a794bd4

SHA1
94c54b79d6da63fa478abd49624feb27bf289093

SHA256
b7b985454236c86b177d9b0c178f2d4f2a8a8856b7d0dd9dc224e6c157f98e3a

SHA512
efb82b0c1217801977b013aa4a1fd10d174fd56d79aa535588713f1e0f2ae5e96777a27066327264e46ce10ebd638ae3492a1a989dc8075498450c880d3f1dbe

Download Submit
C:\Program Files\Windows Multimedia Platform\sppsvc.exe

Filesize
1.8MB

MD5
6f8def1aecbdb57d595fdb2520dc7009

SHA1
117dedc36c0146a0557e191ac78f22dc61c96b74

SHA256
e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed

SHA512
a929f473cbd7a3c3e8d494ccb472ee75e0ca5915ff965bc95020b5b5df24205505601337dcaf0e5750ed441c5293e3b91b8bca4813e577d5ef350a9aaa7a28c7

Download Submit
C:\Program Files\Windows Multimedia Platform\sppsvc.exe

Filesize
1.8MB

MD5
faa1e1c24fa00a60fc41489456fbcc6e

SHA1
e4209f4f6e1560a7046802e03821368b8d56fd25

SHA256
a9e228f7abffbb236ade34c772ea983bcd52851aaf7ae2e2661db284211013f5

SHA512
370d7a8ed351794ab9655b1e550f2472b37a777e38b60f554cc26521ad9d0b2541f211f9294bf0f3c58c9ea07c4f6fb759000edff527ef82bf70655f9549a4bb

Download Submit
C:\Recovery\WindowsRE\winlogon.exe

Filesize
1.8MB

MD5
b8f64bcfa3df00c3d85ab857068f6ed5

SHA1
e4054b2243f55518a32493a489dbe0e37a682056

SHA256
3799b72bd597309307e48542f5836a962affb3d96e19c01b8e0c6ab575653dc3

SHA512
131d544e0a7e1ed93b5d5030e8d8767e1f1d4fda4fd4ead64b044f9c7845e1e30fe952e5f4bc5036c97a85fa2c6e9f605d3a4a588b671c735aaeaf184d61f3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
72964a38f041c9c3bb1510995bfb536e

SHA1
8543c353baf6b1380e12ec39a19c79cc261edfc5

SHA256
9c87a49781f20abc74c9693bfd61fb2040a42f3b995dd2046bfd97c827839842

SHA512
63fa22144701d4d066917a3fc28baf1440e7be3573ff72bc3f982ca47c3f8bf181f222f50a9b13c59aab1c2ce4928fbb8b794ba57afc46ef8954e98e08ef45bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca1b8335de7280030a75f0cbe8f2566e

SHA1
a5d63aa6383f40a2d22605532cc3d92ab40f2eb1

SHA256
a16c2f29caa973fa83a08d6d7a847be9051789aeed299346da89fc9c38be047c

SHA512
cbc6dd7c4c18066077b997c0fe2b3966ad28fd63505ff3f9fb7d34ae2cd86cdb7d6efa9c5ed3a3d4f3e9db4c43759f51657ca2a5bf250cd5f46512830b5719a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19ec66855a6d03c39002bb3b02286b18

SHA1
fe6b0c7ce7db955e5cb2263c4e9ac92de2a4522d

SHA256
45eff667a414573b14752a848b01589644b6ea1bd99ac1830f4326774b9e4914

SHA512
411516152dc8a3bfd521f9c8a39580d2c1184ea82820b658da03ae343f0c5c0f3c7d96cab8a5a44c0d73340ba2d5d5d88896a4eb779b8fa7aa2cc4a9ca9bc0c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0af4a4cba46f31460507a62c8be832da

SHA1
64360659bde5980896d9645e9b40324b117c21ea

SHA256
b592eb52ca9a1effbc0ba25b83f8eb5f523103cb4f8ab5ad48eafbfb43bf24b5

SHA512
af5067d4050c4ec65a2505d5e7c1393256300e0fb8872bcecad9e8d49b4b0e22e4cf791ed496836329a1ed17fe5369317bce9ecb42e0bdd068ef7dd7c7dfadc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\588a39a8-9248-446a-b78e-131646d3df40.vbs

Filesize
488B

MD5
15636b0fa80695e27c3c51d4c349e7f1

SHA1
73a72dcca53b6a4973480730aead86910685ea10

SHA256
94578659eeefd84cedb8aae85735384b77a3ed0c21f347ff50a049579d120003

SHA512
b29df7f9523b07459d60e7bf57b9d5e212a0c2088e210ec9c6b4a29ab60c3803cb7420d5a166ff8faa077e96b15dd45a54f5dc8ec0518668e81b5152a720571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5junfvnh.nxh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3406c07-36fa-448e-8430-658a42a7cfc5.vbs

Filesize
712B

MD5
ba3c549ea04f01cef87e5044f1f431e8

SHA1
bda770298b6437580998332af8b4a6e65c62162d

SHA256
7ff29659a1f3927e55360ded4d35bf1765efb4517c47e3d95941fe26c7d2a161

SHA512
9a564211370672140d5e7c867d588c08affca5221311f63b8b10c241b6b4448c0e1d4fbe29cd52269fd682478acddf78a662b61bfae026ed61b67ae804f0885f

Download Submit
memory/2156-3-0x00000000029B0000-0x00000000029CC000-memory.dmp

Filesize
112KB

Download
memory/2156-16-0x000000001BB40000-0x000000001BB4C000-memory.dmp

Filesize
48KB

Download
memory/2156-10-0x000000001BAF0000-0x000000001BAFC000-memory.dmp

Filesize
48KB

Download
memory/2156-15-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

Filesize
32KB

Download
memory/2156-11-0x000000001BB00000-0x000000001BB0C000-memory.dmp

Filesize
48KB

Download
memory/2156-13-0x000000001BB20000-0x000000001BB2C000-memory.dmp

Filesize
48KB

Download
memory/2156-90-0x00007FF8563B3000-0x00007FF8563B5000-memory.dmp

Filesize
8KB

Download
memory/2156-12-0x000000001BB10000-0x000000001BB1C000-memory.dmp

Filesize
48KB

Download
memory/2156-102-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

Filesize
10.8MB

Download
memory/2156-103-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

Filesize
10.8MB

Download
memory/2156-14-0x000000001BB30000-0x000000001BB3C000-memory.dmp

Filesize
48KB

Download
memory/2156-17-0x000000001BB50000-0x000000001BB5A000-memory.dmp

Filesize
40KB

Download
memory/2156-1-0x0000000000650000-0x000000000081C000-memory.dmp

Filesize
1.8MB

Download
memory/2156-21-0x000000001BB90000-0x000000001BB9C000-memory.dmp

Filesize
48KB

Download
memory/2156-201-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

Filesize
10.8MB

Download
memory/2156-25-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

Filesize
10.8MB

Download
memory/2156-5-0x000000001BA50000-0x000000001BA58000-memory.dmp

Filesize
32KB

Download
memory/2156-0-0x00007FF8563B3000-0x00007FF8563B5000-memory.dmp

Filesize
8KB

Download
memory/2156-18-0x000000001BB60000-0x000000001BB6E000-memory.dmp

Filesize
56KB

Download
memory/2156-20-0x000000001BB80000-0x000000001BB8C000-memory.dmp

Filesize
48KB

Download
memory/2156-19-0x000000001BB70000-0x000000001BB78000-memory.dmp

Filesize
32KB

Download
memory/2156-7-0x000000001BA70000-0x000000001BA86000-memory.dmp

Filesize
88KB

Download
memory/2156-24-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

Filesize
10.8MB

Download
memory/2156-8-0x000000001BA90000-0x000000001BA98000-memory.dmp

Filesize
32KB

Download
memory/2156-9-0x000000001BBF0000-0x000000001BBFA000-memory.dmp

Filesize
40KB

Download
memory/2156-6-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/2156-4-0x000000001BAA0000-0x000000001BAF0000-memory.dmp

Filesize
320KB

Download
memory/2156-285-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

Filesize
10.8MB

Download
memory/2156-2-0x00007FF8563B0000-0x00007FF856E71000-memory.dmp

Filesize
10.8MB

Download
memory/4120-200-0x000002691FB90000-0x000002691FBB2000-memory.dmp

Filesize
136KB

Download