dcrat | 25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7

Analysis

max time kernel
101s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Size

3.2MB
MD5

8c1a813f52ed5c9f746cc2baea9b421c
SHA1

923f06dd79705fe0957b6efa9b47f8a726e80b08
SHA256

25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7
SHA512

b524b7766912011f5ff17bf8b7b4b96abed8a77b113a27eb4ef9ba2fa840946b5443e68204e1e2e45ed9a78c2c681ad12c5a1324bcafee63d297f8dfe8cddb57
SSDEEP

49152:oD+WhPI+P05YhHbpHP1qcdhymFKN/1cCLKtrp8qotx/8jwwpO5:k+WhPIq0iHPEA1W/19LGrBoP9wpO5

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3196	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	3644	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3644	schtasks.exe	82

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4012-1-0x0000000000B90000-0x0000000000EC4000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbd-46.dat	dcrat
behavioral2/files/0x000a000000023cd5-85.dat	dcrat
behavioral2/files/0x0009000000023cb4-119.dat	dcrat
behavioral2/files/0x000e000000023cd6-163.dat	dcrat
behavioral2/files/0x0008000000023ccd-191.dat	dcrat
behavioral2/memory/3520-364-0x0000000000450000-0x0000000000784000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4340	powershell.exe
4388	powershell.exe
4400	powershell.exe
1856	powershell.exe
840	powershell.exe
624	powershell.exe
1492	powershell.exe
3660	powershell.exe
1804	powershell.exe
2988	powershell.exe
4660	powershell.exe
2936	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 2 IoCs

pid	Process
3520	SppExtComObj.exe
3940	SppExtComObj.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pt-PT\e6c9b481da804f	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Windows\SysWOW64\pt-PT\RCXB898.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Windows\SysWOW64\pt-PT\RCXB8A8.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Windows\SysWOW64\pt-PT\OfficeClickToRun.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Windows\SysWOW64\pt-PT\OfficeClickToRun.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\ModifiableWindowsApps\dllhost.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Program Files\MSBuild\winlogon.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files\dotnet\swidtag\SppExtComObj.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCXBFE2.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\spoolsv.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files\MSBuild\RCXC922.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXCC31.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Program Files\dotnet\swidtag\e1ef82546f0b02	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Program Files\Windows Media Player\es-ES\spoolsv.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Program Files\MSBuild\cc11b995f2a76d	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\Idle.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Program Files\dotnet\swidtag\SppExtComObj.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCXB589.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCXB645.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCXBFE1.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXCBA3.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Program Files (x86)\Google\Temp\Idle.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Program Files (x86)\Google\Temp\6ccacd8608530f	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files\MSBuild\RCXC911.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Program Files\MSBuild\winlogon.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Program Files\Windows Media Player\es-ES\f3b6ecef712a24	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\en-US\unsecapp.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Windows\apppatch\en-US\29c1c3cc0f7685	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Windows\apppatch\en-US\unsecapp.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXC68F.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Windows\SKB\LanguageModels\lsass.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Windows\SKB\LanguageModels\lsass.exe	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File created	C:\Windows\SKB\LanguageModels\6203df4a6bafc7	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Windows\apppatch\en-US\RCXBB49.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Windows\apppatch\en-US\RCXBB4A.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
File opened for modification	C:\Windows\SKB\LanguageModels\RCXC621.tmp	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2496	schtasks.exe
4928	schtasks.exe
4144	schtasks.exe
4792	schtasks.exe
924	schtasks.exe
4300	schtasks.exe
2028	schtasks.exe
1588	schtasks.exe
3196	schtasks.exe
3432	schtasks.exe
392	schtasks.exe
2928	schtasks.exe
1272	schtasks.exe
3664	schtasks.exe
1268	schtasks.exe
1112	schtasks.exe
3468	schtasks.exe
2388	schtasks.exe
2376	schtasks.exe
2012	schtasks.exe
4968	schtasks.exe
5064	schtasks.exe
2812	schtasks.exe
4940	schtasks.exe
3552	schtasks.exe
2648	schtasks.exe
1208	schtasks.exe
812	schtasks.exe
1388	schtasks.exe
408	schtasks.exe
1264	schtasks.exe
1940	schtasks.exe
3900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
4400	powershell.exe
4400	powershell.exe
1856	powershell.exe
1856	powershell.exe
1804	powershell.exe
1804	powershell.exe
840	powershell.exe
840	powershell.exe
1492	powershell.exe
1492	powershell.exe
4388	powershell.exe
4388	powershell.exe
2988	powershell.exe
2988	powershell.exe
4660	powershell.exe
4660	powershell.exe
4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
2936	powershell.exe
2936	powershell.exe
624	powershell.exe
624	powershell.exe
3660	powershell.exe
3660	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	3520	SppExtComObj.exe
Token: SeDebugPrivilege	3940	SppExtComObj.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 2936	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	119
PID 4012 wrote to memory of 2936	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	119
PID 4012 wrote to memory of 4660	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	120
PID 4012 wrote to memory of 4660	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	120
PID 4012 wrote to memory of 624	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	121
PID 4012 wrote to memory of 624	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	121
PID 4012 wrote to memory of 2988	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	122
PID 4012 wrote to memory of 2988	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	122
PID 4012 wrote to memory of 1804	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	123
PID 4012 wrote to memory of 1804	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	123
PID 4012 wrote to memory of 840	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	124
PID 4012 wrote to memory of 840	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	124
PID 4012 wrote to memory of 1856	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	125
PID 4012 wrote to memory of 1856	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	125
PID 4012 wrote to memory of 4400	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	126
PID 4012 wrote to memory of 4400	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	126
PID 4012 wrote to memory of 4388	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	127
PID 4012 wrote to memory of 4388	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	127
PID 4012 wrote to memory of 3660	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	128
PID 4012 wrote to memory of 3660	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	128
PID 4012 wrote to memory of 4340	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	129
PID 4012 wrote to memory of 4340	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	129
PID 4012 wrote to memory of 1492	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	130
PID 4012 wrote to memory of 1492	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	130
PID 4012 wrote to memory of 3520	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	144
PID 4012 wrote to memory of 3520	4012	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe	144
PID 3520 wrote to memory of 3080	3520	SppExtComObj.exe	147
PID 3520 wrote to memory of 3080	3520	SppExtComObj.exe	147
PID 3520 wrote to memory of 720	3520	SppExtComObj.exe	148
PID 3520 wrote to memory of 720	3520	SppExtComObj.exe	148
PID 3080 wrote to memory of 3940	3080	WScript.exe	149
PID 3080 wrote to memory of 3940	3080	WScript.exe	149

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SppExtComObj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SppExtComObj.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe
"C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\swidtag\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\pt-PT\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\apppatch\en-US\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Program Files\dotnet\swidtag\SppExtComObj.exe
  "C:\Program Files\dotnet\swidtag\SppExtComObj.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3520
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3841d24-1590-4a23-bce5-c2f20867a3b3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Program Files\dotnet\swidtag\SppExtComObj.exe
      "C:\Program Files\dotnet\swidtag\SppExtComObj.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of AdjustPrivilegeToken
      System policy modification
      PID:3940
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65f36df1-79b6-4081-8b81-97129361e4e0.vbs"
    3⤵
    PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\swidtag\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\pt-PT\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SysWOW64\pt-PT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\pt-PT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\apppatch\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\apppatch\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\SKB\LanguageModels\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\SKB\LanguageModels\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\Idle.exe

Filesize
3.2MB

MD5
737227252284f291dfe8d9a0b0c4b8c0

SHA1
1d3a0a90160404f08904b81290784b3a5dd0fe97

SHA256
a0286d8c9e45e08029e85f14fe31b988a7770e66a1ee13d06a9ddbd794e02c5a

SHA512
0e86fa0e7c6dbff2225efe915565af030d9e1191cc8cff31f4829ddaa74fb6f0678e130c00f37071dd6b6cb725ab15fa1f71160ca0c700990d7cbe6860205c3e

Download Submit
C:\Program Files\dotnet\swidtag\SppExtComObj.exe

Filesize
3.2MB

MD5
9fe8c39200c64b7e72e109ba02e298d5

SHA1
70b24f4456638c487b28ba28ae3025fd515d7f21

SHA256
387694a61325bc639721846242e7ea8995211079a712376c0b0f1a86a2a444cd

SHA512
04cafbdf6983576dc24bbdd2afc07178f79620b8744e8ee9e7f4f2cc7c53684a46c885880d55eb9decbab70ecd7d6d5bf76eec224d5542db7d13f42551c1a355

Download Submit
C:\ProgramData\lsass.exe

Filesize
3.2MB

MD5
8c1a813f52ed5c9f746cc2baea9b421c

SHA1
923f06dd79705fe0957b6efa9b47f8a726e80b08

SHA256
25fac6b0d6075d63bbb1727f93a99bf3fc6ce9a298fde4a5e58944e21b4bc0a7

SHA512
b524b7766912011f5ff17bf8b7b4b96abed8a77b113a27eb4ef9ba2fa840946b5443e68204e1e2e45ed9a78c2c681ad12c5a1324bcafee63d297f8dfe8cddb57

Download Submit
C:\ProgramData\lsass.exe

Filesize
3.2MB

MD5
437300f807fa51670cf191f0b635dc74

SHA1
386cd1db828ed294158ea2c35f3daa4549a4bcc0

SHA256
5cd1d319f3f4f31f5d8b849ced3f5f3fe19d2f91f1de62cb9f6d822888fc4283

SHA512
85e1130621d2974c95be22d79a736d57b728f91ed9dd25622128bb375772f7d5e939ff229aef03aea2d0717121b58f8372e05320844e6d13dc816f002543086b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\65f36df1-79b6-4081-8b81-97129361e4e0.vbs

Filesize
500B

MD5
20584a5e5cd7df22595fb26202ed4cf6

SHA1
a28dfbde62ec7e6ae936fb3a2bd89b894b717043

SHA256
a7bee07b9cc577c7e7117e227e7ea823e27e9770774e65b2477e0f442da35973

SHA512
f1ab1f3645ca0b1db4b45abca3aaf369e4a9de2d3294117dd1de62f69cf36ccb4e809a8ace5fdfcb674c3fb11ebc1c8fbfdc00151b9f39b59536be0098dd972a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rkfgfri.pm1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3841d24-1590-4a23-bce5-c2f20867a3b3.vbs

Filesize
724B

MD5
2de5a986c878b9a0c447f9f1007a474f

SHA1
deec48cf14f8aae01076f1c5f0404ac8644c3da8

SHA256
61530f1766c9fa9f553c6e3e6648aea94838495413971428f7f4688627b273bf

SHA512
f3753eb2f183851c0b43272d4452dbff4a398db639ecc3358da0a2b846931d3e1c18d94df897468d0a8801ef04f60d1cf0bc464d96317e7f2eeb566aa08c774b

Download Submit
C:\Windows\SKB\LanguageModels\RCXC621.tmp

Filesize
3.2MB

MD5
1fb00d95c2423182aae7566860ea225c

SHA1
e00272afdc9a385dd0368cf77bcd28c619a94ebf

SHA256
94b66943bd815a08ee39a1bd04831f7dc987fcb25bc89cae6e1d0e50645f7f55

SHA512
add94de00d72da377b1c4d3d8658cf01dde203359b880eaceef34c16fff3e171591170097b9284e00caccf1da94f1206ac370770a165aead06a5a15dec8897f1

Download Submit
memory/3520-373-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

Filesize
72KB

Download
memory/3520-364-0x0000000000450000-0x0000000000784000-memory.dmp

Filesize
3.2MB

Download
memory/3940-404-0x000000001C030000-0x000000001C086000-memory.dmp

Filesize
344KB

Download
memory/4012-30-0x000000001C570000-0x000000001C57E000-memory.dmp

Filesize
56KB

Download
memory/4012-26-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

Filesize
48KB

Download
memory/4012-15-0x000000001BB90000-0x000000001BB9C000-memory.dmp

Filesize
48KB

Download
memory/4012-16-0x000000001BBA0000-0x000000001BBA8000-memory.dmp

Filesize
32KB

Download
memory/4012-18-0x000000001C260000-0x000000001C272000-memory.dmp

Filesize
72KB

Download
memory/4012-19-0x000000001C7C0000-0x000000001CCE8000-memory.dmp

Filesize
5.2MB

Download
memory/4012-21-0x000000001C2A0000-0x000000001C2AC000-memory.dmp

Filesize
48KB

Download
memory/4012-20-0x000000001C290000-0x000000001C29C000-memory.dmp

Filesize
48KB

Download
memory/4012-23-0x000000001C2C0000-0x000000001C2CC000-memory.dmp

Filesize
48KB

Download
memory/4012-22-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

Filesize
32KB

Download
memory/4012-24-0x000000001C2D0000-0x000000001C2DC000-memory.dmp

Filesize
48KB

Download
memory/4012-25-0x000000001C3E0000-0x000000001C3E8000-memory.dmp

Filesize
32KB

Download
memory/4012-13-0x000000001C210000-0x000000001C266000-memory.dmp

Filesize
344KB

Download
memory/4012-28-0x000000001C510000-0x000000001C51E000-memory.dmp

Filesize
56KB

Download
memory/4012-31-0x00007FF9E86D0000-0x00007FF9E9191000-memory.dmp

Filesize
10.8MB

Download
memory/4012-33-0x00000000017E0000-0x00000000017EC000-memory.dmp

Filesize
48KB

Download
memory/4012-32-0x00000000017D0000-0x00000000017D8000-memory.dmp

Filesize
32KB

Download
memory/4012-35-0x0000000001800000-0x000000000180A000-memory.dmp

Filesize
40KB

Download
memory/4012-36-0x000000001C580000-0x000000001C58C000-memory.dmp

Filesize
48KB

Download
memory/4012-34-0x00000000017F0000-0x00000000017F8000-memory.dmp

Filesize
32KB

Download
memory/4012-27-0x000000001C400000-0x000000001C40A000-memory.dmp

Filesize
40KB

Download
memory/4012-14-0x000000001BB80000-0x000000001BB88000-memory.dmp

Filesize
32KB

Download
memory/4012-29-0x000000001C560000-0x000000001C568000-memory.dmp

Filesize
32KB

Download
memory/4012-39-0x00007FF9E86D0000-0x00007FF9E9191000-memory.dmp

Filesize
10.8MB

Download
memory/4012-134-0x00007FF9E86D3000-0x00007FF9E86D5000-memory.dmp

Filesize
8KB

Download
memory/4012-159-0x00007FF9E86D0000-0x00007FF9E9191000-memory.dmp

Filesize
10.8MB

Download
memory/4012-188-0x00007FF9E86D0000-0x00007FF9E9191000-memory.dmp

Filesize
10.8MB

Download
memory/4012-243-0x00007FF9E86D0000-0x00007FF9E9191000-memory.dmp

Filesize
10.8MB

Download
memory/4012-0-0x00007FF9E86D3000-0x00007FF9E86D5000-memory.dmp

Filesize
8KB

Download
memory/4012-6-0x0000000003220000-0x0000000003228000-memory.dmp

Filesize
32KB

Download
memory/4012-7-0x000000001BB00000-0x000000001BB10000-memory.dmp

Filesize
64KB

Download
memory/4012-365-0x00007FF9E86D0000-0x00007FF9E9191000-memory.dmp

Filesize
10.8MB

Download
memory/4012-8-0x000000001BB10000-0x000000001BB26000-memory.dmp

Filesize
88KB

Download
memory/4012-12-0x000000001BB60000-0x000000001BB6A000-memory.dmp

Filesize
40KB

Download
memory/4012-9-0x000000001BB30000-0x000000001BB38000-memory.dmp

Filesize
32KB

Download
memory/4012-11-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/4012-10-0x000000001BB40000-0x000000001BB48000-memory.dmp

Filesize
32KB

Download
memory/4012-5-0x000000001C1C0000-0x000000001C210000-memory.dmp

Filesize
320KB

Download
memory/4012-4-0x0000000003200000-0x000000000321C000-memory.dmp

Filesize
112KB

Download
memory/4012-3-0x00000000030D0000-0x00000000030DE000-memory.dmp

Filesize
56KB

Download
memory/4012-2-0x00007FF9E86D0000-0x00007FF9E9191000-memory.dmp

Filesize
10.8MB

Download
memory/4012-1-0x0000000000B90000-0x0000000000EC4000-memory.dmp

Filesize
3.2MB

Download
memory/4400-253-0x000001E8687C0000-0x000001E8687E2000-memory.dmp

Filesize
136KB

Download