dcrat | ea35e9404c24a02e79df74209be0e4a5b7e5805683394c6b2d46b1feb37ac9b5

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Size

1.5MB
MD5

4667f5be1002ce912e5590cca8da93b6
SHA1

2e408e483dd447b69d2e938218989265fbfdc2af
SHA256

fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e
SHA512

cdc57befaf7bad8917cc885b394f37d9dac3beabca5d07ab74cfee24f076dc088c2631ad2176dd7b9e62c555692b4c51e3280d5cf5d432ea5172db4ab8fa8c7f
SSDEEP

24576:YvpWPh9nUNea6cQ/VUPoF/VPwrEDgbqeFrQqvvlsDJ+drpDn3fQK/759qiuiMjTP:+W8NA/VUPoFVwrIIV+DJGfZ19qig

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2936	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2936	schtasks.exe	83

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/396-1-0x00000000009A0000-0x0000000000B2E000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b71-27.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
400	powershell.exe
4372	powershell.exe
4036	powershell.exe
3540	powershell.exe
1972	powershell.exe
920	powershell.exe
2436	powershell.exe
2204	powershell.exe
3488	powershell.exe
3988	powershell.exe
4364	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe

Executes dropped EXE 2 IoCs

pid	Process
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
2536	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\spoolsv.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5ec8376caeeb2f	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\55b276f4edf653	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\9e8d7a4ca61bd9	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\5940a34987c991	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files\WindowsApps\smss.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\f3b6ecef712a24	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\6cb0b6c459d5d3	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\winlogon.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Windows\SchCache\cc11b995f2a76d	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Windows\L2Schemas\spoolsv.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Windows\L2Schemas\f3b6ecef712a24	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Windows\TAPI\taskhostw.exe	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
File created	C:\Windows\TAPI\ea9f0e6c9e2dcd	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4120	schtasks.exe
4060	schtasks.exe
1044	schtasks.exe
2920	schtasks.exe
2272	schtasks.exe
1980	schtasks.exe
3480	schtasks.exe
1524	schtasks.exe
4792	schtasks.exe
4936	schtasks.exe
1456	schtasks.exe
3512	schtasks.exe
4472	schtasks.exe
996	schtasks.exe
3416	schtasks.exe
4176	schtasks.exe
3904	schtasks.exe
3312	schtasks.exe
4524	schtasks.exe
2324	schtasks.exe
4236	schtasks.exe
1132	schtasks.exe
3036	schtasks.exe
3776	schtasks.exe
4408	schtasks.exe
3164	schtasks.exe
2064	schtasks.exe
2312	schtasks.exe
2080	schtasks.exe
3308	schtasks.exe
4000	schtasks.exe
1428	schtasks.exe
2456	schtasks.exe
2236	schtasks.exe
2072	schtasks.exe
4976	schtasks.exe
3092	schtasks.exe
4316	schtasks.exe
1152	schtasks.exe
1840	schtasks.exe
948	schtasks.exe
4696	schtasks.exe
2252	schtasks.exe
1136	schtasks.exe
2948	schtasks.exe
3508	schtasks.exe
2700	schtasks.exe
740	schtasks.exe
3528	schtasks.exe
2172	schtasks.exe
2152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
2204	powershell.exe
2204	powershell.exe
920	powershell.exe
920	powershell.exe
4372	powershell.exe
4372	powershell.exe
3540	powershell.exe
3540	powershell.exe
4364	powershell.exe
4364	powershell.exe
3988	powershell.exe
3988	powershell.exe
3488	powershell.exe
3488	powershell.exe
3540	powershell.exe
4036	powershell.exe
4036	powershell.exe
2436	powershell.exe
2436	powershell.exe
400	powershell.exe
400	powershell.exe
1972	powershell.exe
1972	powershell.exe
3488	powershell.exe
4364	powershell.exe
4036	powershell.exe
2204	powershell.exe
920	powershell.exe
4372	powershell.exe
400	powershell.exe
3988	powershell.exe
2436	powershell.exe
1972	powershell.exe
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Token: SeDebugPrivilege	2536	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 1972	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	135
PID 396 wrote to memory of 1972	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	135
PID 396 wrote to memory of 920	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	136
PID 396 wrote to memory of 920	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	136
PID 396 wrote to memory of 3540	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	137
PID 396 wrote to memory of 3540	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	137
PID 396 wrote to memory of 4036	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	138
PID 396 wrote to memory of 4036	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	138
PID 396 wrote to memory of 4364	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	139
PID 396 wrote to memory of 4364	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	139
PID 396 wrote to memory of 3988	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	140
PID 396 wrote to memory of 3988	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	140
PID 396 wrote to memory of 4372	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	141
PID 396 wrote to memory of 4372	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	141
PID 396 wrote to memory of 3488	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	142
PID 396 wrote to memory of 3488	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	142
PID 396 wrote to memory of 2204	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	143
PID 396 wrote to memory of 2204	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	143
PID 396 wrote to memory of 2436	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	144
PID 396 wrote to memory of 2436	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	144
PID 396 wrote to memory of 400	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	145
PID 396 wrote to memory of 400	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	145
PID 396 wrote to memory of 2352	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	157
PID 396 wrote to memory of 2352	396	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	157
PID 2352 wrote to memory of 2948	2352	cmd.exe	159
PID 2352 wrote to memory of 2948	2352	cmd.exe	159
PID 2352 wrote to memory of 4500	2352	cmd.exe	160
PID 2352 wrote to memory of 4500	2352	cmd.exe	160
PID 4500 wrote to memory of 4300	4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	162
PID 4500 wrote to memory of 4300	4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	162
PID 4500 wrote to memory of 1052	4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	163
PID 4500 wrote to memory of 1052	4500	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe	163
PID 4300 wrote to memory of 2536	4300	WScript.exe	172
PID 4300 wrote to memory of 2536	4300	WScript.exe	172

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
"C:\Users\Admin\AppData\Local\Temp\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rYSUmFbpAo.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2948
- - C:\Program Files (x86)\Windows Multimedia Platform\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
    "C:\Program Files (x86)\Windows Multimedia Platform\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4500
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06ec4c71-1b4b-4d7b-9777-77c7f24cbd74.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Program Files (x86)\Windows Multimedia Platform\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2536
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09b04f71-5536-4118-8000-1b03704b02e1.vbs"
      4⤵
      PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default\PrintHood\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Favorites\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\TAPI\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022ef" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022ef" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\06ec4c71-1b4b-4d7b-9777-77c7f24cbd74.vbs

Filesize
795B

MD5
d89a4b2f79cee6b8d99001629f3dbc3f

SHA1
2b9a9e1fda55df48b7e68446b29db48eb378e31e

SHA256
c358a2b2c7ec2ef07f748f6ccaaa466eda64879ca554124f46391d19eb514091

SHA512
c9ee39c2c94b8ec9fb1b5b1098780a354db379085e8b4026779fd6988f613724ef6a71370b1adb9d2b2dded0f5c4358eb104e535bc68c0f00e662c2ce03d0ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\09b04f71-5536-4118-8000-1b03704b02e1.vbs

Filesize
571B

MD5
5445af39dab17e3ee58cca3f15f54e5e

SHA1
698c240fe808a80d0d6dfb12e15fca429148b0bf

SHA256
41d14efc4e1d6a9b1d95266143e00511f8df6e6d8de1225a47142abf3266a1e8

SHA512
683953b47e2447e3719bd06efca82821a4643a750a7fe6d69495e4cb9bf2b8c334d614636a9a921153ed432b8736548c70f9f06aa2b69895a13449607227ba26

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cfdls3zr.wfz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rYSUmFbpAo.bat

Filesize
284B

MD5
0d0623339519130507e725e192e2ec05

SHA1
b3758832afdcc047aa35442d092b2e051ddd0826

SHA256
3cbb08dbf66ba89deeb1434110ce8387acfea953ab987391efc8f23031dcc12d

SHA512
e2b766e44bb97a1eb1358d99572adfec45d4a35d793fbe0a0b20a44234424c4d0574b6d8db130fee1f96cd2c94da4bf564831aca4248eb76fb0e1ff6483cc7eb

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\fontdrvhost.exe

Filesize
1.5MB

MD5
4667f5be1002ce912e5590cca8da93b6

SHA1
2e408e483dd447b69d2e938218989265fbfdc2af

SHA256
fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e

SHA512
cdc57befaf7bad8917cc885b394f37d9dac3beabca5d07ab74cfee24f076dc088c2631ad2176dd7b9e62c555692b4c51e3280d5cf5d432ea5172db4ab8fa8c7f

Download Submit
memory/396-10-0x0000000002CC0000-0x0000000002CCC000-memory.dmp

Filesize
48KB

Download
memory/396-6-0x0000000002C80000-0x0000000002C8A000-memory.dmp

Filesize
40KB

Download
memory/396-13-0x0000000002E90000-0x0000000002E98000-memory.dmp

Filesize
32KB

Download
memory/396-11-0x0000000002E30000-0x0000000002E3A000-memory.dmp

Filesize
40KB

Download
memory/396-0-0x00007FFCD54B3000-0x00007FFCD54B5000-memory.dmp

Filesize
8KB

Download
memory/396-9-0x0000000002CB0000-0x0000000002CB8000-memory.dmp

Filesize
32KB

Download
memory/396-15-0x0000000002EC0000-0x0000000002EC8000-memory.dmp

Filesize
32KB

Download
memory/396-18-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/396-20-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/396-16-0x000000001BEB0000-0x000000001BEBC000-memory.dmp

Filesize
48KB

Download
memory/396-14-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

Filesize
48KB

Download
memory/396-1-0x00000000009A0000-0x0000000000B2E000-memory.dmp

Filesize
1.6MB

Download
memory/396-95-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/396-8-0x0000000002CA0000-0x0000000002CAC000-memory.dmp

Filesize
48KB

Download
memory/396-7-0x0000000002C90000-0x0000000002C9C000-memory.dmp

Filesize
48KB

Download
memory/396-5-0x0000000002C60000-0x0000000002C76000-memory.dmp

Filesize
88KB

Download
memory/396-12-0x0000000002E40000-0x0000000002E4E000-memory.dmp

Filesize
56KB

Download
memory/396-4-0x0000000002DE0000-0x0000000002E30000-memory.dmp

Filesize
320KB

Download
memory/396-3-0x0000000002C40000-0x0000000002C5C000-memory.dmp

Filesize
112KB

Download
memory/396-2-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/920-85-0x0000027A47840000-0x0000027A47862000-memory.dmp

Filesize
136KB

Download