dcrat | e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Size

1.8MB
MD5

6f8def1aecbdb57d595fdb2520dc7009
SHA1

117dedc36c0146a0557e191ac78f22dc61c96b74
SHA256

e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed
SHA512

a929f473cbd7a3c3e8d494ccb472ee75e0ca5915ff965bc95020b5b5df24205505601337dcaf0e5750ed441c5293e3b91b8bca4813e577d5ef350a9aaa7a28c7
SSDEEP

49152:5WqKKPZ1snfJ+rqDPuQDLME5MT4rDQNpfh:jKKZ1sRD2Q3N5MT4r

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	504	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	4484	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	4484	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3084-1-0x0000000000A10000-0x0000000000BDC000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca3-33.dat	dcrat
behavioral2/files/0x000c000000023cc8-165.dat	dcrat
behavioral2/files/0x0008000000023cb9-212.dat	dcrat
behavioral2/files/0x0008000000023cc0-224.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1404	powershell.exe
1148	powershell.exe
1476	powershell.exe
2568	powershell.exe
5036	powershell.exe
3528	powershell.exe
4124	powershell.exe
3880	powershell.exe
2928	powershell.exe
4400	powershell.exe
632	powershell.exe
3824	powershell.exe
2024	powershell.exe
1744	powershell.exe
2972	powershell.exe
3644	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 1 IoCs

pid	Process
5476	dllhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files\Crashpad\dllhost.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files (x86)\Windows Sidebar\6cb0b6c459d5d3	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\dwm.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\RCX8CE.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\5940a34987c991	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXF09E.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCXF0ED.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXF5F1.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\RCX8CD.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXB50.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXBCE.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files\Java\jdk-1.8\lib\Registry.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Crashpad\dllhost.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ee2ad38f3d4382	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Crashpad\RCXFA7A.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCXC9.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX147.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files\Crashpad\5940a34987c991	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Crashpad\RCXFA79.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files (x86)\Windows Sidebar\dwm.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXF650.tmp	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\Registry.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\x86_netfx4-clrjit_dll_b03f5f7f11d50a3a_4.0.15805.0_none_6d4d884c88d19b00\services.exe	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2324	schtasks.exe
1412	schtasks.exe
3924	schtasks.exe
844	schtasks.exe
4856	schtasks.exe
712	schtasks.exe
1664	schtasks.exe
2352	schtasks.exe
2436	schtasks.exe
2648	schtasks.exe
3660	schtasks.exe
4576	schtasks.exe
2404	schtasks.exe
4400	schtasks.exe
3528	schtasks.exe
2504	schtasks.exe
4844	schtasks.exe
3708	schtasks.exe
948	schtasks.exe
1292	schtasks.exe
2572	schtasks.exe
3564	schtasks.exe
4664	schtasks.exe
1440	schtasks.exe
2008	schtasks.exe
2868	schtasks.exe
4336	schtasks.exe
632	schtasks.exe
2084	schtasks.exe
208	schtasks.exe
1744	schtasks.exe
3860	schtasks.exe
1808	schtasks.exe
5116	schtasks.exe
1684	schtasks.exe
3048	schtasks.exe
3696	schtasks.exe
3880	schtasks.exe
1268	schtasks.exe
504	schtasks.exe
1324	schtasks.exe
2144	schtasks.exe
1404	schtasks.exe
3588	schtasks.exe
316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5476	dllhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	5476	dllhost.exe
Token: SeBackupPrivilege	3584	vssvc.exe
Token: SeRestorePrivilege	3584	vssvc.exe
Token: SeAuditPrivilege	3584	vssvc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 3880	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	136
PID 3084 wrote to memory of 3880	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	136
PID 3084 wrote to memory of 1148	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	137
PID 3084 wrote to memory of 1148	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	137
PID 3084 wrote to memory of 1476	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	138
PID 3084 wrote to memory of 1476	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	138
PID 3084 wrote to memory of 2928	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	139
PID 3084 wrote to memory of 2928	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	139
PID 3084 wrote to memory of 4400	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	140
PID 3084 wrote to memory of 4400	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	140
PID 3084 wrote to memory of 2568	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	141
PID 3084 wrote to memory of 2568	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	141
PID 3084 wrote to memory of 5036	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	142
PID 3084 wrote to memory of 5036	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	142
PID 3084 wrote to memory of 2024	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	143
PID 3084 wrote to memory of 2024	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	143
PID 3084 wrote to memory of 632	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	144
PID 3084 wrote to memory of 632	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	144
PID 3084 wrote to memory of 4124	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	145
PID 3084 wrote to memory of 4124	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	145
PID 3084 wrote to memory of 3644	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	146
PID 3084 wrote to memory of 3644	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	146
PID 3084 wrote to memory of 3528	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	147
PID 3084 wrote to memory of 3528	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	147
PID 3084 wrote to memory of 2972	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	148
PID 3084 wrote to memory of 2972	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	148
PID 3084 wrote to memory of 1744	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	149
PID 3084 wrote to memory of 1744	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	149
PID 3084 wrote to memory of 3824	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	150
PID 3084 wrote to memory of 3824	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	150
PID 3084 wrote to memory of 1404	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	151
PID 3084 wrote to memory of 1404	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	151
PID 3084 wrote to memory of 5476	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	171
PID 3084 wrote to memory of 5476	3084	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe	171
PID 5476 wrote to memory of 4580	5476	dllhost.exe	174
PID 5476 wrote to memory of 4580	5476	dllhost.exe	174
PID 5476 wrote to memory of 1544	5476	dllhost.exe	175
PID 5476 wrote to memory of 1544	5476	dllhost.exe	175

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe
"C:\Users\Admin\AppData\Local\Temp\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\lib\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Program Files\Crashpad\dllhost.exe
  "C:\Program Files\Crashpad\dllhost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5476
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e797a81d-615e-4eb8-8028-79e9653084d7.vbs"
    3⤵
    PID:4580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c66ff143-6f86-4ce9-a2a6-614e01057299.vbs"
    3⤵
    PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Crashpad\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Links\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\lib\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\lib\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk-1.8\lib\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\Idle.exe

Filesize
1.8MB

MD5
775cb67669d847e2d04e0b459c9c5183

SHA1
c6d57532123792a98e927e577d26e065f08644b1

SHA256
6c5d8f2720a0894da7c065d5a6424b75d8863d7605f7d2180f2bac23d6bd97b4

SHA512
876ffbf21ae6539dc1ef7c21982cdddf1764e4744853621ec28563ca8a4a2c2e96839da8e3a2071e625fdc5a99d563e55a22654046aef17ac037407f0b6d20fe

Download Submit
C:\Program Files (x86)\Windows Sidebar\dwm.exe

Filesize
1.8MB

MD5
e05db4b230ab19f69d3e5ccdfe4455ef

SHA1
137e5c07838ca8c1bcfaf0ce5c1f56a6384d0ce5

SHA256
216adf5c315e61d09007741629100e0a951cf2e4dc5dedb28ec0fe681660e459

SHA512
0af1ca6d091bef0facbb16df0978746f54fa7d70486af96a708978a106135e674defff4e6aeeab38ae81c3c4aae7abec06e33f5433609ab5b30d5abc8229ed75

Download Submit
C:\Recovery\WindowsRE\RCXE51.tmp

Filesize
1.8MB

MD5
fc95fb6e99e21cf839f95ae3015a1e03

SHA1
bf64249389e49770f719e660ebacd935c185e3f0

SHA256
2e0f5b682911062f6cfcded6edc49837da2c1f4eb5fdd39c16aacfb5a46460a2

SHA512
c215410d6f999ae1789edabf72afbb5a10a8defa8cae0a6d4930ad382b7c91bf68f196437708c52b69782ee2797a6222114fc20f739526d781021b21d893ae4a

Download Submit
C:\Recovery\WindowsRE\dwm.exe

Filesize
1.8MB

MD5
6f8def1aecbdb57d595fdb2520dc7009

SHA1
117dedc36c0146a0557e191ac78f22dc61c96b74

SHA256
e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed

SHA512
a929f473cbd7a3c3e8d494ccb472ee75e0ca5915ff965bc95020b5b5df24205505601337dcaf0e5750ed441c5293e3b91b8bca4813e577d5ef350a9aaa7a28c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
09c38bf09493920e93b25f37f1ae4efe

SHA1
42e5d800056f08481870c4ca2d0d48181ca8edc8

SHA256
37874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255

SHA512
91eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4d3aqwi.xeg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c66ff143-6f86-4ce9-a2a6-614e01057299.vbs

Filesize
489B

MD5
ffc2ce23c95bd730e83e9c9c7f9ef5c1

SHA1
73a799e23cc7497d592fac5dfbfec1231f70a332

SHA256
bde46f78a8b2d844c4b0b946713240e650a89f815c6b9ee10990ed10e3ea2eaa

SHA512
3994fe1276c02cf26cfd4517a5cc2650f8e3929ccf61295703c2b6657209a4faa0961dd68cf4c3026217879be52583677d501922d24f23790c4e0325895d08ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\e797a81d-615e-4eb8-8028-79e9653084d7.vbs

Filesize
713B

MD5
7f29fcf25011875b8cb725170d934ab2

SHA1
d5e76d70ad4558ffb4a4ab77c390ccf03d41f9e2

SHA256
3ac66f8cd82d8c808744a2861aa151b9708e1bd9fea0d9981d689df6eed7e1d6

SHA512
2de3ffd0c37397dd40a52e1efad25618275edec0de78da35c5f4172d02ab2d20660520866b2625ede3805832653b4affaeb9f0ea072283f52695086c6e39c15a

Download Submit
memory/1744-258-0x0000019C74DE0000-0x0000019C74E02000-memory.dmp

Filesize
136KB

Download
memory/3084-13-0x0000000002DF0000-0x0000000002DFC000-memory.dmp

Filesize
48KB

Download
memory/3084-109-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/3084-15-0x000000001B970000-0x000000001B978000-memory.dmp

Filesize
32KB

Download
memory/3084-16-0x000000001B980000-0x000000001B98C000-memory.dmp

Filesize
48KB

Download
memory/3084-17-0x000000001B990000-0x000000001B99A000-memory.dmp

Filesize
40KB

Download
memory/3084-18-0x000000001B9A0000-0x000000001B9AE000-memory.dmp

Filesize
56KB

Download
memory/3084-19-0x000000001B900000-0x000000001B908000-memory.dmp

Filesize
32KB

Download
memory/3084-20-0x000000001B920000-0x000000001B92C000-memory.dmp

Filesize
48KB

Download
memory/3084-21-0x0000000002E10000-0x0000000002E1C000-memory.dmp

Filesize
48KB

Download
memory/3084-24-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/3084-25-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/3084-26-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/3084-11-0x0000000002DD0000-0x0000000002DDC000-memory.dmp

Filesize
48KB

Download
memory/3084-72-0x00007FFD0C0D3000-0x00007FFD0C0D5000-memory.dmp

Filesize
8KB

Download
memory/3084-96-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/3084-14-0x0000000002E00000-0x0000000002E0C000-memory.dmp

Filesize
48KB

Download
memory/3084-134-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/3084-12-0x0000000002DE0000-0x0000000002DEC000-memory.dmp

Filesize
48KB

Download
memory/3084-181-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/3084-0-0x00007FFD0C0D3000-0x00007FFD0C0D5000-memory.dmp

Filesize
8KB

Download
memory/3084-10-0x0000000002DB0000-0x0000000002DBC000-memory.dmp

Filesize
48KB

Download
memory/3084-9-0x0000000002DA0000-0x0000000002DAA000-memory.dmp

Filesize
40KB

Download
memory/3084-8-0x0000000002D40000-0x0000000002D48000-memory.dmp

Filesize
32KB

Download
memory/3084-409-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/3084-7-0x0000000002D20000-0x0000000002D36000-memory.dmp

Filesize
88KB

Download
memory/3084-5-0x0000000002D00000-0x0000000002D08000-memory.dmp

Filesize
32KB

Download
memory/3084-6-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/3084-4-0x0000000002D50000-0x0000000002DA0000-memory.dmp

Filesize
320KB

Download
memory/3084-3-0x0000000002CE0000-0x0000000002CFC000-memory.dmp

Filesize
112KB

Download
memory/3084-2-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/3084-1-0x0000000000A10000-0x0000000000BDC000-memory.dmp

Filesize
1.8MB

Download