dcrat | d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0b

Analysis

max time kernel
29s
max time network
23s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Size

3.2MB
MD5

a665e22aa25b2f62c5524fc10feb2820
SHA1

0f8f6aa96b425633eb11f84aece99ef2f9d67b9e
SHA256

d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0b
SHA512

cbc565fb6b584d5b9720c6bfbebeaf71d4884ea41033fd26cba78a6b3544b39e83e0a5b011c901bbd56f9d509735a0830d18036ef677c43abf6b94eec03cc381
SSDEEP

49152:oD+WhPI+P05YhHbpHP1qcdhymFKN/1cCLKtrp8qotx/8jwwpO:k+WhPIq0iHPEA1W/19LGrBoP9wpO

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2592	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2592	schtasks.exe	30

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2104-1-0x0000000000E00000-0x0000000001134000-memory.dmp	dcrat
behavioral1/files/0x0005000000018742-43.dat	dcrat
behavioral1/files/0x000500000001a094-74.dat	dcrat
behavioral1/files/0x0013000000012266-133.dat	dcrat
behavioral1/files/0x000b000000018731-156.dat	dcrat
behavioral1/files/0x0008000000019227-167.dat	dcrat
behavioral1/files/0x0007000000019284-178.dat	dcrat
behavioral1/memory/2860-298-0x0000000001160000-0x0000000001494000-memory.dmp	dcrat
behavioral1/memory/1804-311-0x0000000000260000-0x0000000000594000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe
2660	powershell.exe
2984	powershell.exe
2776	powershell.exe
644	powershell.exe
3024	powershell.exe
2968	powershell.exe
2936	powershell.exe
2364	powershell.exe
656	powershell.exe
1632	powershell.exe
1540	powershell.exe
1740	powershell.exe
1188	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	Idle.exe
1804	Idle.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\csrss.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Program Files\Microsoft Office\smss.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXABDC.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXC1C0.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\services.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Program Files\Microsoft Office\69ddcba757bf72	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXAB6E.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXC1C1.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Program Files\Microsoft Office\smss.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Program Files\Uninstall Information\csrss.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\RCXADE1.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\de-DE\winlogon.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\RCXBCDC.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Windows\Cursors\101b941d020240	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Windows\de-DE\cc11b995f2a76d	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\Cursors\RCXADE0.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\de-DE\RCXB866.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\System.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\Help\OEM\Idle.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Windows\de-DE\winlogon.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Windows\Help\OEM\Idle.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\de-DE\RCXB865.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\RCXBD4A.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\Help\OEM\RCXC3C5.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Windows\Cursors\lsm.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Windows\PCHEALTH\ERRORREP\System.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\Cursors\lsm.exe	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File opened for modification	C:\Windows\Help\OEM\RCXC3C6.tmp	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Windows\PCHEALTH\ERRORREP\27d1bcfc3c54e0	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
File created	C:\Windows\Help\OEM\6ccacd8608530f	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2428	schtasks.exe
2024	schtasks.exe
1908	schtasks.exe
376	schtasks.exe
840	schtasks.exe
2436	schtasks.exe
2580	schtasks.exe
2960	schtasks.exe
2060	schtasks.exe
1128	schtasks.exe
604	schtasks.exe
2620	schtasks.exe
316	schtasks.exe
1716	schtasks.exe
3040	schtasks.exe
3012	schtasks.exe
1488	schtasks.exe
356	schtasks.exe
2932	schtasks.exe
2672	schtasks.exe
1472	schtasks.exe
2924	schtasks.exe
556	schtasks.exe
1304	schtasks.exe
2364	schtasks.exe
264	schtasks.exe
1236	schtasks.exe
2964	schtasks.exe
300	schtasks.exe
676	schtasks.exe
1464	schtasks.exe
2816	schtasks.exe
3016	schtasks.exe
1684	schtasks.exe
2900	schtasks.exe
2656	schtasks.exe
2972	schtasks.exe
2820	schtasks.exe
2568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
2768	powershell.exe
3024	powershell.exe
2776	powershell.exe
2984	powershell.exe
1740	powershell.exe
2660	powershell.exe
2364	powershell.exe
1188	powershell.exe
644	powershell.exe
1632	powershell.exe
2968	powershell.exe
1540	powershell.exe
2936	powershell.exe
656	powershell.exe
2860	Idle.exe
2860	Idle.exe
2860	Idle.exe
2860	Idle.exe
2860	Idle.exe
2860	Idle.exe
2860	Idle.exe
2860	Idle.exe
2860	Idle.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	2860	Idle.exe
Token: SeDebugPrivilege	1804	Idle.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2776	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	70
PID 2104 wrote to memory of 2776	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	70
PID 2104 wrote to memory of 2776	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	70
PID 2104 wrote to memory of 644	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	71
PID 2104 wrote to memory of 644	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	71
PID 2104 wrote to memory of 644	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	71
PID 2104 wrote to memory of 2768	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	72
PID 2104 wrote to memory of 2768	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	72
PID 2104 wrote to memory of 2768	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	72
PID 2104 wrote to memory of 656	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	73
PID 2104 wrote to memory of 656	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	73
PID 2104 wrote to memory of 656	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	73
PID 2104 wrote to memory of 2968	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	74
PID 2104 wrote to memory of 2968	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	74
PID 2104 wrote to memory of 2968	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	74
PID 2104 wrote to memory of 2660	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	75
PID 2104 wrote to memory of 2660	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	75
PID 2104 wrote to memory of 2660	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	75
PID 2104 wrote to memory of 1632	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	76
PID 2104 wrote to memory of 1632	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	76
PID 2104 wrote to memory of 1632	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	76
PID 2104 wrote to memory of 1540	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	77
PID 2104 wrote to memory of 1540	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	77
PID 2104 wrote to memory of 1540	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	77
PID 2104 wrote to memory of 3024	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	78
PID 2104 wrote to memory of 3024	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	78
PID 2104 wrote to memory of 3024	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	78
PID 2104 wrote to memory of 1740	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	79
PID 2104 wrote to memory of 1740	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	79
PID 2104 wrote to memory of 1740	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	79
PID 2104 wrote to memory of 1188	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	80
PID 2104 wrote to memory of 1188	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	80
PID 2104 wrote to memory of 1188	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	80
PID 2104 wrote to memory of 2364	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	81
PID 2104 wrote to memory of 2364	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	81
PID 2104 wrote to memory of 2364	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	81
PID 2104 wrote to memory of 2984	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	82
PID 2104 wrote to memory of 2984	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	82
PID 2104 wrote to memory of 2984	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	82
PID 2104 wrote to memory of 2936	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	83
PID 2104 wrote to memory of 2936	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	83
PID 2104 wrote to memory of 2936	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	83
PID 2104 wrote to memory of 1768	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	98
PID 2104 wrote to memory of 1768	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	98
PID 2104 wrote to memory of 1768	2104	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe	98
PID 1768 wrote to memory of 984	1768	cmd.exe	101
PID 1768 wrote to memory of 984	1768	cmd.exe	101
PID 1768 wrote to memory of 984	1768	cmd.exe	101
PID 1768 wrote to memory of 2860	1768	cmd.exe	102
PID 1768 wrote to memory of 2860	1768	cmd.exe	102
PID 1768 wrote to memory of 2860	1768	cmd.exe	102
PID 2860 wrote to memory of 1792	2860	Idle.exe	103
PID 2860 wrote to memory of 1792	2860	Idle.exe	103
PID 2860 wrote to memory of 1792	2860	Idle.exe	103
PID 2860 wrote to memory of 2056	2860	Idle.exe	104
PID 2860 wrote to memory of 2056	2860	Idle.exe	104
PID 2860 wrote to memory of 2056	2860	Idle.exe	104
PID 1792 wrote to memory of 1804	1792	WScript.exe	105
PID 1792 wrote to memory of 1804	1792	WScript.exe	105
PID 1792 wrote to memory of 1804	1792	WScript.exe	105

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe
"C:\Users\Admin\AppData\Local\Temp\d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0bN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\OEM\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CVKAF0p32B.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:984
- - C:\Windows\Help\OEM\Idle.exe
    "C:\Windows\Help\OEM\Idle.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2860
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\add4b4af-c4c6-453d-8b37-ef845da599d7.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\Help\OEM\Idle.exe
        
        C:\Windows\Help\OEM\Idle.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1804
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffd56e4b-1977-49cd-897d-dd104eec2227.vbs"
      4⤵
      PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Cursors\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\OEM\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Help\OEM\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\OEM\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe

Filesize
3.2MB

MD5
a665e22aa25b2f62c5524fc10feb2820

SHA1
0f8f6aa96b425633eb11f84aece99ef2f9d67b9e

SHA256
d6191f82b8c076e00b9839f3a27a5421147faa2feebe6d64c3650ae460be4a0b

SHA512
cbc565fb6b584d5b9720c6bfbebeaf71d4884ea41033fd26cba78a6b3544b39e83e0a5b011c901bbd56f9d509735a0830d18036ef677c43abf6b94eec03cc381

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
3.2MB

MD5
6f47f0468144d0cd45125f5ff36e1672

SHA1
ebfa3f58a822a2604c3e564e5cd644119c4d33f6

SHA256
8200e151c6f9da3e5db5edef832d68412dffda98e71233e6820c95dc0785c02a

SHA512
30bc01ee236149e60a97e9d8e74da0a87e6957dabc2a4bc13ed1a691c9da58c64af5c2040d36d088c625c67af02197b82449b0dc75ba048475253568f513fa78

Download Submit
C:\Program Files\Uninstall Information\csrss.exe

Filesize
3.2MB

MD5
34dfaede2fce3e536cb73b13ea0ec897

SHA1
6afd1b176a9bfed63b7e63a0a0b8c12dc6de0b48

SHA256
eba0213f203cff8bbf8ff6e006be8e246f776e3c5f015df0ce64b966bd5a1c56

SHA512
2d637ccb9bc358f58d57ad097bc6a1e41aea3f99927d11abfc0caa0eb05861dd97a42eea1dee0905d61fa47118fbb773f003c131449aa2afd6512b4eddbbc7f9

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dllhost.exe

Filesize
3.2MB

MD5
8d0394de5bf0d752d0b8ac3975a8b382

SHA1
6b0b413f3df4c0796cb84920a44b2dd7b12525bd

SHA256
9b622640f8cb317c88cfed3a234cd8fea6ff4fe83a49bb5adbc603ce92d9e7a5

SHA512
62e886e7f73d9a0b61b741e629c61451c2b431b74847202073432161f5f2e12a844ae83df1b859885b3ba0501d82b91fe0a590a15c57b13204ba84e62d7eef01

Download Submit
C:\Users\Admin\AppData\Local\Temp\CVKAF0p32B.bat

Filesize
193B

MD5
49d2dca91738d68dac1e5c235cad3bdb

SHA1
323f576777ead406aa633db619873a6e691a16cd

SHA256
9c619238a9d574537f70be582655d5f07a2ce8c546c1905fe431a1c455dc3ffc

SHA512
963771d9da867ba7f21dff559f74e9776daa9e39dad1966d66ccf8c622da01e8d642209b3148ce11c842b6181a4074271f56596ae01663a782d8a188fb8a2804

Download Submit
C:\Users\Admin\AppData\Local\Temp\add4b4af-c4c6-453d-8b37-ef845da599d7.vbs

Filesize
704B

MD5
0b266c39c4163533454d0d3d29e6078d

SHA1
8f81483c36a22d006d0b58a38ee83e7030235cc4

SHA256
2eef94fc6b99c1f69622db39d47619b1ce183be641217e7d7c70bcc6040bcdb2

SHA512
8d414e2e10804cf24fbe03e068b77887653122a2268461942b1ba09b23368546589ea4f59ac8de664a5fda21c3071146406eef00089d78768c7d506f17e23e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffd56e4b-1977-49cd-897d-dd104eec2227.vbs

Filesize
480B

MD5
964fe8fb9682d65c697c379b56dc3e93

SHA1
10a899d556256e0e145567dd9a9e94eb6d2e9757

SHA256
6a9ad662570d2a52d8bb6d3cb75b8bfdd1a23ae35455553d0a132000edb024ab

SHA512
bfac0a5b1e6afff91ec9fedfa8705ce761bd1f62bd8966e9ddfdc23cede9f828eb1abedf7db59ad75213da88eb8d94d17f1aae36645f3d74de7c7c263518b673

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2950c5359dfe4b570051ce62be163de7

SHA1
6c214df3220a6d4f3c16eaeddbbbf11dc5278d3a

SHA256
8951c1addc9ca5c4e7fa3591b1afdabe3c530e7edb4364580c2f7cbb0ab28c88

SHA512
79649df8423748a933dad3ad4cd9825b6431d9e2d27193521369c83fd8949d60944128308ac11375cac60feba5cc11c2d2f9719e543f22524525fe8243a3495f

Download Submit
C:\Users\Public\Recorded TV\Sample Media\csrss.exe

Filesize
3.2MB

MD5
0fb7928d568877c72981b8481e802e7b

SHA1
d4eff46db27d3e4b81f7cb97f7e764959d738a57

SHA256
ea795523dea79b4ce4332ab75a5a35d66082fa9274dd6e32b787f5cab62fa137

SHA512
ef69ba1fd1b6ec3b3d35ba659a8a538ef872d04e16754682dc9473d71af94090d04a512df345aaff883790a3b6399b66f3a952a5d5692364f783906f67337ecc

Download Submit
C:\Windows\PCHEALTH\ERRORREP\System.exe

Filesize
3.2MB

MD5
2e09bf6407733510dca440f53ac5edf2

SHA1
9e06adc0d6f80bb475d23f6ebc6df14b2f74286e

SHA256
5af637cf91c634bc350df90c70d62a584536f7f28fe2cc696bc85a76b9690540

SHA512
7633f38e3fd5c54767e63e9bf2f0190449b70ad36eaaa7e568ac8327f7f0265fb0e44ffeac9ea8e911d8993e02248e137f6c66edb9a77c21ca56f6f9792e5d28

Download Submit
memory/1804-311-0x0000000000260000-0x0000000000594000-memory.dmp

Filesize
3.2MB

Download
memory/2104-13-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2104-33-0x000000001ABC0000-0x000000001ABCA000-memory.dmp

Filesize
40KB

Download
memory/2104-0-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

Filesize
4KB

Download
memory/2104-14-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2104-15-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/2104-17-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2104-18-0x0000000000D50000-0x0000000000D5C000-memory.dmp

Filesize
48KB

Download
memory/2104-19-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download
memory/2104-20-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/2104-21-0x0000000002590000-0x000000000259C000-memory.dmp

Filesize
48KB

Download
memory/2104-22-0x00000000025A0000-0x00000000025AC000-memory.dmp

Filesize
48KB

Download
memory/2104-24-0x000000001AA30000-0x000000001AA3C000-memory.dmp

Filesize
48KB

Download
memory/2104-23-0x000000001AA40000-0x000000001AA48000-memory.dmp

Filesize
32KB

Download
memory/2104-30-0x000000001AAA0000-0x000000001AAAC000-memory.dmp

Filesize
48KB

Download
memory/2104-29-0x000000001AA90000-0x000000001AA98000-memory.dmp

Filesize
32KB

Download
memory/2104-28-0x000000001AA80000-0x000000001AA8E000-memory.dmp

Filesize
56KB

Download
memory/2104-27-0x000000001AA70000-0x000000001AA78000-memory.dmp

Filesize
32KB

Download
memory/2104-31-0x000000001ABB0000-0x000000001ABB8000-memory.dmp

Filesize
32KB

Download
memory/2104-26-0x000000001AA60000-0x000000001AA6E000-memory.dmp

Filesize
56KB

Download
memory/2104-25-0x000000001AA50000-0x000000001AA5A000-memory.dmp

Filesize
40KB

Download
memory/2104-32-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-12-0x0000000002540000-0x0000000002596000-memory.dmp

Filesize
344KB

Download
memory/2104-34-0x000000001ABD0000-0x000000001ABDC000-memory.dmp

Filesize
48KB

Download
memory/2104-11-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/2104-10-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

Filesize
64KB

Download
memory/2104-9-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/2104-8-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/2104-7-0x0000000000A80000-0x0000000000A96000-memory.dmp

Filesize
88KB

Download
memory/2104-6-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2104-217-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

Filesize
4KB

Download
memory/2104-223-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-5-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2104-1-0x0000000000E00000-0x0000000001134000-memory.dmp

Filesize
3.2MB

Download
memory/2104-4-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/2104-2-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-3-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/2768-238-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2768-241-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2860-299-0x0000000000C50000-0x0000000000CA6000-memory.dmp

Filesize
344KB

Download
memory/2860-300-0x0000000001010000-0x0000000001022000-memory.dmp

Filesize
72KB

Download
memory/2860-298-0x0000000001160000-0x0000000001494000-memory.dmp

Filesize
3.2MB

Download