dcrat | e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f8def1aecbdb57d595fdb2520dc7009.exe
Size

1.8MB
MD5

6f8def1aecbdb57d595fdb2520dc7009
SHA1

117dedc36c0146a0557e191ac78f22dc61c96b74
SHA256

e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed
SHA512

a929f473cbd7a3c3e8d494ccb472ee75e0ca5915ff965bc95020b5b5df24205505601337dcaf0e5750ed441c5293e3b91b8bca4813e577d5ef350a9aaa7a28c7
SSDEEP

49152:5WqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:jKKZ1sRD2Q3N5MT4r

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2168	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2168	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2136-1-0x0000000001350000-0x000000000151C000-memory.dmp	dcrat
behavioral1/files/0x00060000000174bf-30.dat	dcrat
behavioral1/files/0x000500000001a46a-67.dat	dcrat
behavioral1/files/0x000b000000019618-136.dat	dcrat
behavioral1/files/0x00060000000191fd-160.dat	dcrat
behavioral1/files/0x000b000000019240-195.dat	dcrat
behavioral1/files/0x00070000000193b7-206.dat	dcrat
behavioral1/memory/2796-341-0x0000000000390000-0x000000000055C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1956	powershell.exe
1736	powershell.exe
1872	powershell.exe
2084	powershell.exe
2316	powershell.exe
1420	powershell.exe
2540	powershell.exe
560	powershell.exe
3004	powershell.exe
2116	powershell.exe
1724	powershell.exe
2160	powershell.exe
2368	powershell.exe
2304	powershell.exe
1984	powershell.exe
1440	powershell.exe
1576	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	lsm.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\6f8def1aecbdb57d595fdb2520dc7009.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files\7-Zip\Lang\bf17d6696a7290	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\7-Zip\Lang\6f8def1aecbdb57d595fdb2520dc7009.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCXD8F7.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\services.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\services.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXD210.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\lsm.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files (x86)\Uninstall Information\101b941d020240	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\RCXC566.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\RCXC565.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXC76A.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXDD6E.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXDDDD.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\101b941d020240	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files (x86)\Uninstall Information\lsm.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXC76B.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXD20F.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\RCXD8F8.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\c5b4cb5e9653cc	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\886983d96e3d3e	6f8def1aecbdb57d595fdb2520dc7009.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Setup\State\RCXD6F3.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Windows\Setup\State\RCXD6F4.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Windows\Setup\State\winlogon.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Windows\Setup\State\cc11b995f2a76d	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Windows\Logs\DPX\RCXD481.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Windows\Logs\DPX\audiodg.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Windows\Logs\DPX\audiodg.exe	6f8def1aecbdb57d595fdb2520dc7009.exe
File created	C:\Windows\Logs\DPX\42af1c969fbb7b	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Windows\Logs\DPX\RCXD4EF.tmp	6f8def1aecbdb57d595fdb2520dc7009.exe
File opened for modification	C:\Windows\Setup\State\winlogon.exe	6f8def1aecbdb57d595fdb2520dc7009.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2324	schtasks.exe
1984	schtasks.exe
1988	schtasks.exe
1680	schtasks.exe
952	schtasks.exe
2448	schtasks.exe
904	schtasks.exe
700	schtasks.exe
560	schtasks.exe
2092	schtasks.exe
2228	schtasks.exe
2316	schtasks.exe
2712	schtasks.exe
2556	schtasks.exe
1608	schtasks.exe
1260	schtasks.exe
2040	schtasks.exe
2604	schtasks.exe
2708	schtasks.exe
1944	schtasks.exe
2084	schtasks.exe
1884	schtasks.exe
2320	schtasks.exe
696	schtasks.exe
2856	schtasks.exe
2780	schtasks.exe
3016	schtasks.exe
1104	schtasks.exe
1232	schtasks.exe
1560	schtasks.exe
3068	schtasks.exe
1000	schtasks.exe
2160	schtasks.exe
1876	schtasks.exe
1816	schtasks.exe
328	schtasks.exe
2020	schtasks.exe
2836	schtasks.exe
2672	schtasks.exe
1016	schtasks.exe
600	schtasks.exe
964	schtasks.exe
2816	schtasks.exe
2636	schtasks.exe
1792	schtasks.exe
1292	schtasks.exe
536	schtasks.exe
1592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
2304	powershell.exe
1440	powershell.exe
1984	powershell.exe
2368	powershell.exe
560	powershell.exe
1956	powershell.exe
2160	powershell.exe
3004	powershell.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
1872	powershell.exe
2316	powershell.exe
2116	powershell.exe
1420	powershell.exe
2084	powershell.exe
2136	6f8def1aecbdb57d595fdb2520dc7009.exe
1576	powershell.exe
1724	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	lsm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	6f8def1aecbdb57d595fdb2520dc7009.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2796	lsm.exe
Token: SeBackupPrivilege	1440	vssvc.exe
Token: SeRestorePrivilege	1440	vssvc.exe
Token: SeAuditPrivilege	1440	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1440	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	80
PID 2136 wrote to memory of 1440	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	80
PID 2136 wrote to memory of 1440	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	80
PID 2136 wrote to memory of 1984	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	81
PID 2136 wrote to memory of 1984	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	81
PID 2136 wrote to memory of 1984	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	81
PID 2136 wrote to memory of 2368	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	82
PID 2136 wrote to memory of 2368	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	82
PID 2136 wrote to memory of 2368	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	82
PID 2136 wrote to memory of 2304	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	83
PID 2136 wrote to memory of 2304	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	83
PID 2136 wrote to memory of 2304	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	83
PID 2136 wrote to memory of 2160	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	86
PID 2136 wrote to memory of 2160	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	86
PID 2136 wrote to memory of 2160	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	86
PID 2136 wrote to memory of 3004	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	87
PID 2136 wrote to memory of 3004	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	87
PID 2136 wrote to memory of 3004	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	87
PID 2136 wrote to memory of 1872	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	88
PID 2136 wrote to memory of 1872	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	88
PID 2136 wrote to memory of 1872	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	88
PID 2136 wrote to memory of 560	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	89
PID 2136 wrote to memory of 560	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	89
PID 2136 wrote to memory of 560	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	89
PID 2136 wrote to memory of 1724	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	90
PID 2136 wrote to memory of 1724	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	90
PID 2136 wrote to memory of 1724	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	90
PID 2136 wrote to memory of 1420	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	91
PID 2136 wrote to memory of 1420	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	91
PID 2136 wrote to memory of 1420	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	91
PID 2136 wrote to memory of 1736	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	92
PID 2136 wrote to memory of 1736	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	92
PID 2136 wrote to memory of 1736	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	92
PID 2136 wrote to memory of 1956	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	93
PID 2136 wrote to memory of 1956	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	93
PID 2136 wrote to memory of 1956	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	93
PID 2136 wrote to memory of 2540	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	95
PID 2136 wrote to memory of 2540	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	95
PID 2136 wrote to memory of 2540	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	95
PID 2136 wrote to memory of 2084	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	105
PID 2136 wrote to memory of 2084	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	105
PID 2136 wrote to memory of 2084	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	105
PID 2136 wrote to memory of 2316	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	107
PID 2136 wrote to memory of 2316	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	107
PID 2136 wrote to memory of 2316	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	107
PID 2136 wrote to memory of 2116	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	108
PID 2136 wrote to memory of 2116	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	108
PID 2136 wrote to memory of 2116	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	108
PID 2136 wrote to memory of 1576	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	109
PID 2136 wrote to memory of 1576	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	109
PID 2136 wrote to memory of 1576	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	109
PID 2136 wrote to memory of 2684	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	114
PID 2136 wrote to memory of 2684	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	114
PID 2136 wrote to memory of 2684	2136	6f8def1aecbdb57d595fdb2520dc7009.exe	114
PID 2684 wrote to memory of 1700	2684	cmd.exe	116
PID 2684 wrote to memory of 1700	2684	cmd.exe	116
PID 2684 wrote to memory of 1700	2684	cmd.exe	116
PID 2684 wrote to memory of 2796	2684	cmd.exe	117
PID 2684 wrote to memory of 2796	2684	cmd.exe	117
PID 2684 wrote to memory of 2796	2684	cmd.exe	117
PID 2796 wrote to memory of 1040	2796	lsm.exe	118
PID 2796 wrote to memory of 1040	2796	lsm.exe	118
PID 2796 wrote to memory of 1040	2796	lsm.exe	118
PID 2796 wrote to memory of 1704	2796	lsm.exe	119

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6f8def1aecbdb57d595fdb2520dc7009.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6f8def1aecbdb57d595fdb2520dc7009.exe
"C:\Users\Admin\AppData\Local\Temp\6f8def1aecbdb57d595fdb2520dc7009.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\6f8def1aecbdb57d595fdb2520dc7009.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\sd\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\6f8def1aecbdb57d595fdb2520dc7009.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DPX\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x3o3G0F1R8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1700
- - C:\Program Files (x86)\Uninstall Information\lsm.exe
    "C:\Program Files (x86)\Uninstall Information\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2796
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e229fb8-46e2-4cc1-974e-1f40909d5acd.vbs"
      4⤵
      PID:1040
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8d9bb68-8310-498b-8c47-01ea0eb9f6ee.vbs"
      4⤵
      PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\lua\sd\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Videos\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f8def1aecbdb57d595fdb2520dc70096" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\6f8def1aecbdb57d595fdb2520dc7009.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f8def1aecbdb57d595fdb2520dc7009" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\6f8def1aecbdb57d595fdb2520dc7009.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6f8def1aecbdb57d595fdb2520dc70096" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\6f8def1aecbdb57d595fdb2520dc7009.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\DPX\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\DPX\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\State\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe

Filesize
1.8MB

MD5
96f182561c801b0cab2a357d6c1e92fb

SHA1
cf28e936a588569d9406caeafb165d72a1d8dc58

SHA256
08fb9040ca6033a02a023173a64bac02d5cfa41a11c207a4d383200d290029c7

SHA512
e3d5d43b878d8ff7479778ab7d9da9a01d317b11cb384df5a81a7dbb33379f4106da1040657330ab936d77743199e25489d1327b897f9fe92d8b733704a610cf

Download Submit
C:\Program Files (x86)\Uninstall Information\lsm.exe

Filesize
1.8MB

MD5
1b68182b7a3262ad2803a71b0d468bbc

SHA1
cf9b6ba58a6b17533019987bca28e8c9750679cb

SHA256
5eec9c8ca769f942faea7713a77ef2364362da2675ed36e81cfacd8129b297e5

SHA512
49184452c1883ee8d601aab76f2ed6db4fc64d70bbb2e797d842d00ab40190cec706ca49833b5c8e40213196d2ab913cd95d383a68deba32ec0297de082533f4

Download Submit
C:\ProgramData\Adobe\Acrobat\9.0\Replicate\lsass.exe

Filesize
1.8MB

MD5
d89f2ed184fc96eb400bc21148623592

SHA1
07a38075e2ed3b7dd64442e0452dd815aea02f19

SHA256
4081caf7aecfab00f70ef4b3e74aa5fb84959aca8a9730de672ab71225ce5e31

SHA512
701752f9f02477394e629cc57c92a4eeaf2145a257f288297f1fa8e0db85250604dcdba880c9bc41d99b8296a1080bb6b5273c8a0a2d47ce661701830cb32e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e229fb8-46e2-4cc1-974e-1f40909d5acd.vbs

Filesize
728B

MD5
804524b635cd0e277d113e81ec5f24f4

SHA1
951ab86f4b9ca6b76aef2d7c3434f571acbdb20a

SHA256
62d9b0f6b29bf23c38e08533aa264521729752699e0f3c9841df7f5b1aaea127

SHA512
9450cccd9940f8f7f9fceaf86ca673451c2dfccd980301ff93283d8ddf2c29bc310e1a03d214759c0acd426f167a722eabea80aee5368dce67f846fa0007dba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8d9bb68-8310-498b-8c47-01ea0eb9f6ee.vbs

Filesize
504B

MD5
3ebde9aeb4d8f63c70a4459b00af35ae

SHA1
0838b407f000d503deb357005f64d935256897e2

SHA256
4925e63cc2328790a339ccf3992d6b4eda99f6936b09b2f8c62cb1b391014a7c

SHA512
09c331b047cc93a24de8d252112f901b9dc357f1464070d32a5bfdb8b8f647e994dc21510b775bbc7d10254bc27aee8a779004f9ba3b58f1def7cd33fd8104b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\x3o3G0F1R8.bat

Filesize
217B

MD5
d75f281ff515beb6510677785fd0d216

SHA1
bc614b586c50daf29bc7b57abd5395caecc2aa63

SHA256
1ea8911b1a1dc58b8b2e71a219485e5937868874ed4e92e2344469c972be946d

SHA512
875942b309e419b489a7da601a7910f79937e91065a42a2aeef35676dc75eb1d156f29f107a56051c07ddf09f1308545b3c245af36ae810bbd49f4135a00f506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KESVX2Y3A3SAVDCRQVBJ.temp

Filesize
7KB

MD5
ee5481a2202906f9e7e92e28d3a01c32

SHA1
d38e8999715093986a42412c6a584a51ce9d32a4

SHA256
ab9c3d78d090ac38861efd723ca4394ddb99dd42662b366c00cfa514f849c900

SHA512
227008f3874c3593a5c72435d2e13e44dac65d128fbc40edad90bfcdeddf924f45286271cede58e33ee1929f27104c14e495b4ae26be787a06f6f7cd9519999f

Download Submit
C:\Users\Default\OSPPSVC.exe

Filesize
1.8MB

MD5
cde68082a0f9410187faf43a58c64c37

SHA1
df33a38bebecb23c474ad9f32bfa947eb88a03c7

SHA256
93d53808f6b3718629f53c72348eb1ebefb8591592e1b0aa1c7a9c8c0dc7eb53

SHA512
e60b088185cba623fd8492f1c7ac051d630769eb87d997607e180cd67a675c4aa0ef7b723b86f3d4b1f42be13084317449778898253104216807067a932968c8

Download Submit
C:\Users\Default\smss.exe

Filesize
1.8MB

MD5
6f8def1aecbdb57d595fdb2520dc7009

SHA1
117dedc36c0146a0557e191ac78f22dc61c96b74

SHA256
e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed

SHA512
a929f473cbd7a3c3e8d494ccb472ee75e0ca5915ff965bc95020b5b5df24205505601337dcaf0e5750ed441c5293e3b91b8bca4813e577d5ef350a9aaa7a28c7

Download Submit
C:\Windows\Logs\DPX\audiodg.exe

Filesize
1.8MB

MD5
6d426b360a6e197736bcb6f877ac57b5

SHA1
23bfdfad3da24dd832c7488b020c87062bd09376

SHA256
0a88121deff5f23ca70c654e4db3cbcb48fc0b5fd447a692126317b5e1ec9a13

SHA512
27af56313d49be3f5846906fa0538fd15e2758c41731abc4ad81a88626435b41a4407fa2c6b6721ef4fe5c242beca16916f4259f390dc72d9f66d6a06120562d

Download Submit
memory/1440-274-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2136-10-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2136-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/2136-12-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2136-15-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

Filesize
48KB

Download
memory/2136-14-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2136-17-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/2136-16-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/2136-19-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/2136-18-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/2136-23-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-20-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2136-11-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2136-9-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2136-13-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/2136-8-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/2136-7-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2136-6-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/2136-209-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/2136-233-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-245-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-5-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2136-1-0x0000000001350000-0x000000000151C000-memory.dmp

Filesize
1.8MB

Download
memory/2136-4-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2136-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2136-338-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2136-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-276-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2796-341-0x0000000000390000-0x000000000055C000-memory.dmp

Filesize
1.8MB

Download