dcrat | e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Size

1.8MB
MD5

6f8def1aecbdb57d595fdb2520dc7009
SHA1

117dedc36c0146a0557e191ac78f22dc61c96b74
SHA256

e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed
SHA512

a929f473cbd7a3c3e8d494ccb472ee75e0ca5915ff965bc95020b5b5df24205505601337dcaf0e5750ed441c5293e3b91b8bca4813e577d5ef350a9aaa7a28c7
SSDEEP

49152:5WqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:jKKZ1sRD2Q3N5MT4r

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2800	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2800	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2684-1-0x0000000000C30000-0x0000000000DFC000-memory.dmp	dcrat
behavioral1/files/0x000500000001964f-30.dat	dcrat
behavioral1/files/0x000500000001a503-61.dat	dcrat
behavioral1/files/0x00080000000193d0-83.dat	dcrat
behavioral1/memory/1072-263-0x0000000000E60000-0x000000000102C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2876	powershell.exe
1724	powershell.exe
2272	powershell.exe
2396	powershell.exe
2952	powershell.exe
1940	powershell.exe
1716	powershell.exe
2992	powershell.exe
1720	powershell.exe
2456	powershell.exe
1964	powershell.exe
2464	powershell.exe
2768	powershell.exe
2208	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1072	csrss.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Windows NT\RCX95EE.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files\Windows NT\6ccacd8608530f	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\RCX91E4.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\RCX91E5.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX8964.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\27d1bcfc3c54e0	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCX8963.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Windows NT\RCX95ED.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Windows NT\Idle.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\b2f347009e01e4	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files\Windows NT\Idle.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\spoolsv.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\L2Schemas\RCX81D0.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\AppPatch\RCX8DDB.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\L2Schemas\explorer.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\L2Schemas\spoolsv.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Windows\L2Schemas\f3b6ecef712a24	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Windows\AppPatch\6ccacd8608530f	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Windows\L2Schemas\7a0fd90576e088	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\L2Schemas\RCX8133.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\L2Schemas\RCX985F.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX9AD1.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Windows\Prefetch\ReadyBoot\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Windows\Prefetch\ReadyBoot\b2f347009e01e4	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\AppPatch\Idle.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX9AD2.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Windows\AppPatch\Idle.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Windows\L2Schemas\explorer.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\AppPatch\RCX8DDA.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Windows\L2Schemas\RCX9860.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
480	schtasks.exe
2544	schtasks.exe
1860	schtasks.exe
1760	schtasks.exe
2188	schtasks.exe
1220	schtasks.exe
2436	schtasks.exe
2880	schtasks.exe
2912	schtasks.exe
372	schtasks.exe
1284	schtasks.exe
1232	schtasks.exe
1752	schtasks.exe
1152	schtasks.exe
2616	schtasks.exe
988	schtasks.exe
1716	schtasks.exe
2820	schtasks.exe
2164	schtasks.exe
2632	schtasks.exe
2240	schtasks.exe
2604	schtasks.exe
2000	schtasks.exe
3068	schtasks.exe
2268	schtasks.exe
1132	schtasks.exe
2636	schtasks.exe
2432	schtasks.exe
1572	schtasks.exe
1696	schtasks.exe
916	schtasks.exe
2412	schtasks.exe
1040	schtasks.exe
2244	schtasks.exe
1740	schtasks.exe
2336	schtasks.exe
1628	schtasks.exe
2948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2992	powershell.exe
1716	powershell.exe
2876	powershell.exe
1720	powershell.exe
1964	powershell.exe
1940	powershell.exe
1724	powershell.exe
2952	powershell.exe
2208	powershell.exe
2464	powershell.exe
2396	powershell.exe
2272	powershell.exe
2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
2768	powershell.exe
2456	powershell.exe
1072	csrss.exe
1072	csrss.exe
1072	csrss.exe
1072	csrss.exe
1072	csrss.exe
1072	csrss.exe
1072	csrss.exe
1072	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1072	csrss.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1072	csrss.exe
Token: SeBackupPrivilege	2848	vssvc.exe
Token: SeRestorePrivilege	2848	vssvc.exe
Token: SeAuditPrivilege	2848	vssvc.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2876	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	70
PID 2684 wrote to memory of 2876	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	70
PID 2684 wrote to memory of 2876	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	70
PID 2684 wrote to memory of 2992	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	71
PID 2684 wrote to memory of 2992	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	71
PID 2684 wrote to memory of 2992	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	71
PID 2684 wrote to memory of 2208	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	73
PID 2684 wrote to memory of 2208	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	73
PID 2684 wrote to memory of 2208	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	73
PID 2684 wrote to memory of 1716	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	74
PID 2684 wrote to memory of 1716	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	74
PID 2684 wrote to memory of 1716	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	74
PID 2684 wrote to memory of 2768	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	75
PID 2684 wrote to memory of 2768	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	75
PID 2684 wrote to memory of 2768	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	75
PID 2684 wrote to memory of 1720	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	76
PID 2684 wrote to memory of 1720	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	76
PID 2684 wrote to memory of 1720	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	76
PID 2684 wrote to memory of 2396	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	77
PID 2684 wrote to memory of 2396	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	77
PID 2684 wrote to memory of 2396	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	77
PID 2684 wrote to memory of 1964	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	78
PID 2684 wrote to memory of 1964	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	78
PID 2684 wrote to memory of 1964	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	78
PID 2684 wrote to memory of 1940	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	79
PID 2684 wrote to memory of 1940	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	79
PID 2684 wrote to memory of 1940	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	79
PID 2684 wrote to memory of 1724	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	80
PID 2684 wrote to memory of 1724	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	80
PID 2684 wrote to memory of 1724	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	80
PID 2684 wrote to memory of 2464	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	81
PID 2684 wrote to memory of 2464	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	81
PID 2684 wrote to memory of 2464	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	81
PID 2684 wrote to memory of 2952	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	82
PID 2684 wrote to memory of 2952	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	82
PID 2684 wrote to memory of 2952	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	82
PID 2684 wrote to memory of 2456	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	84
PID 2684 wrote to memory of 2456	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	84
PID 2684 wrote to memory of 2456	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	84
PID 2684 wrote to memory of 2272	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	85
PID 2684 wrote to memory of 2272	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	85
PID 2684 wrote to memory of 2272	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	85
PID 2684 wrote to memory of 1072	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	98
PID 2684 wrote to memory of 1072	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	98
PID 2684 wrote to memory of 1072	2684	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	98
PID 1072 wrote to memory of 2144	1072	csrss.exe	99
PID 1072 wrote to memory of 2144	1072	csrss.exe	99
PID 1072 wrote to memory of 2144	1072	csrss.exe	99
PID 1072 wrote to memory of 1264	1072	csrss.exe	100
PID 1072 wrote to memory of 1264	1072	csrss.exe	100
PID 1072 wrote to memory of 1264	1072	csrss.exe	100

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
"C:\Users\Admin\AppData\Local\Temp\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Users\Default User\csrss.exe
  "C:\Users\Default User\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1072
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d1ffb69-ee6a-4f0b-a0b8-e8b72ce0ff5e.vbs"
    3⤵
    PID:2144
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\572258ef-1f35-4b16-81de-b9c6cc571494.vbs"
    3⤵
    PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppPatch\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ede" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ede" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ede" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ede" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d1ffb69-ee6a-4f0b-a0b8-e8b72ce0ff5e.vbs

Filesize
707B

MD5
7d743a031e1287d1faa5a3cc4f2ea952

SHA1
be3185987315a54fcaeca34166f1d54fb58036b2

SHA256
c46428d89e1b5925b505d57012dd382ba2dd817d40e38dbaa2b6259cbf0f427b

SHA512
ed2f6cc5ef1166e2478df7b017faf7b98019db7f684e1592d181ad5676273752d73833279a9b0ce025f95284e0cac4e14c00a00f605dcf15a88ca45fb86c2a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\572258ef-1f35-4b16-81de-b9c6cc571494.vbs

Filesize
483B

MD5
80471ac1b8d03ab22093271d7dc75206

SHA1
c8a9de756cf0ba4788f75bc640aa4998dcfbb293

SHA256
b1dbee0ff89021c713de6a191b7e06e78cd1888ce4c777f98cceef9d4cad3909

SHA512
ef3686cba6d5021d3d910044a133b7d244e86c09c9fee5cf60c017c44912714771375f5d341577c3d299917a24b3e7531f4dc0213a189df29d54d41781ee9e66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0d06cd3722598271111ac3ce14fc17c5

SHA1
07c3e04b74223e49fbb35d03b6b9fc6cdd71e157

SHA256
89f4a4166f2bca37947a9ceb3c7a43d010c78e1e12c5fbae167557316ddf11fa

SHA512
afc46a1faba68bde0278e62391a84bb95fe66d3d6704c6a279bbb49ab6b4eda4aac668008ca47ddf38cecddb042b525e3c2dcc5bcbd3f19534d4a70c49d0baf3

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.8MB

MD5
6f8def1aecbdb57d595fdb2520dc7009

SHA1
117dedc36c0146a0557e191ac78f22dc61c96b74

SHA256
e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed

SHA512
a929f473cbd7a3c3e8d494ccb472ee75e0ca5915ff965bc95020b5b5df24205505601337dcaf0e5750ed441c5293e3b91b8bca4813e577d5ef350a9aaa7a28c7

Download Submit
C:\Users\Default\services.exe

Filesize
1.8MB

MD5
54cef0ed73ef393f2e2cbced0eebf3a5

SHA1
7108612f5355268587b9b57cae9fba0adcbdd009

SHA256
4ba55976b22c881a2bd701eb3d4a8884ee792d140fa1c6e2428fc01e11f7b7fd

SHA512
602c6e5b576134d3556505d1bcefc56696a062f408ff2f30eb5d2d13e312537d49328089d6ffdc71a9aa71b3ef85791874935d83c0f017af0670f50981d3d26b

Download Submit
C:\Windows\L2Schemas\spoolsv.exe

Filesize
1.8MB

MD5
64ec08294f9702f69475b083053deaeb

SHA1
1fd28c96b2db6905bb42935407edf38d30b970dc

SHA256
dc2c4b887a0c409e9b7a9bfbf6f38a4c6503b1cb72acb9bfdc4923bce3f8c656

SHA512
97a07a4f32163888fba90f8f564cf5866a94913642e38f99623a6871a191d6ea06d8e21bbca7492ae575b54f7679905b5646b77b404ffdef2f6fecabe6b31dad

Download Submit
memory/1072-263-0x0000000000E60000-0x000000000102C000-memory.dmp

Filesize
1.8MB

Download
memory/1716-228-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2684-8-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2684-23-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-10-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2684-11-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/2684-12-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/2684-13-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/2684-14-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/2684-15-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/2684-17-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/2684-16-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/2684-19-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2684-18-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2684-20-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2684-9-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2684-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2684-7-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2684-6-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download
memory/2684-179-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2684-204-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-5-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2684-4-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/2684-1-0x0000000000C30000-0x0000000000DFC000-memory.dmp

Filesize
1.8MB

Download
memory/2684-3-0x00000000003F0000-0x000000000040C000-memory.dmp

Filesize
112KB

Download
memory/2684-286-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-285-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-270-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download