dcrat | b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
Size

2.7MB
MD5

ba65161e6e83ddc896f9a5461f93d8f1
SHA1

51ecdadd3f065686e9fc6394685d968215cf4029
SHA256

b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d
SHA512

264f88cce23bcaa16394f7d22e443bccb5a10ba080acee2d71daaddee24f9e9b3c14435a971d52c4fbf22d83e7fed7a9eea0d55179db88096724b6e32808dacd
SSDEEP

49152:XRx6mfxiUnp3jfmEXD9KxZU9IaK3clnUezzuuLjaO7e:h40VJ5XQxZUyrctHNyse

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	516	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2308-1-0x0000000000230000-0x00000000004E4000-memory.dmp	dcrat
behavioral1/files/0x00050000000195b5-28.dat	dcrat
behavioral1/files/0x000500000001a4bf-95.dat	dcrat
behavioral1/files/0x00060000000195b5-130.dat	dcrat
behavioral1/files/0x0002000000018334-166.dat	dcrat
behavioral1/files/0x000a000000019820-201.dat	dcrat
behavioral1/files/0x0007000000019fd4-212.dat	dcrat
behavioral1/files/0x000800000001a3ab-246.dat	dcrat
behavioral1/memory/2348-292-0x0000000000070000-0x0000000000324000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2348	explorer.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\lsass.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXF3E6.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Program Files\Microsoft Office\c5b4cb5e9653cc	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXF493.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\lsass.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX1284.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX1051.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\lsass.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Program Files\Microsoft Office\services.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Program Files (x86)\Microsoft.NET\smss.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Program Files (x86)\Microsoft.NET\69ddcba757bf72	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX119.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\smss.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXFC4.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX1295.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\lsass.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX6A9.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\6203df4a6bafc7	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\69ddcba757bf72	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\es-ES\6203df4a6bafc7	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXFF63.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files\Microsoft Office\services.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX62B.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\RCX8BC.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX8FB.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\RCX1CB9.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\dllhost.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Windows\CSC\v2.0.6\WmiPrvSE.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\5940a34987c991	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Windows\Downloaded Program Files\b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\tracing\RCXF9B5.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\RemotePackages\RCXFC74.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Windows\tracing\Idle.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Windows\tracing\6ccacd8608530f	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\tracing\Idle.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Windows\Downloaded Program Files\d536bdd22e317b	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\dllhost.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\tracing\RCXF995.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\RemotePackages\RCXFCF2.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\RemotePackages\lsm.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\Downloaded Program Files\b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\RCX1CD9.tmp	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Windows\RemotePackages\lsm.exe	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
File created	C:\Windows\RemotePackages\101b941d020240	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2788	schtasks.exe
1496	schtasks.exe
2396	schtasks.exe
1160	schtasks.exe
988	schtasks.exe
1648	schtasks.exe
1920	schtasks.exe
1032	schtasks.exe
2916	schtasks.exe
2548	schtasks.exe
2340	schtasks.exe
2544	schtasks.exe
2996	schtasks.exe
1484	schtasks.exe
2264	schtasks.exe
2256	schtasks.exe
2568	schtasks.exe
2936	schtasks.exe
1888	schtasks.exe
108	schtasks.exe
1184	schtasks.exe
1768	schtasks.exe
2840	schtasks.exe
2940	schtasks.exe
2124	schtasks.exe
2888	schtasks.exe
2428	schtasks.exe
1088	schtasks.exe
1724	schtasks.exe
2228	schtasks.exe
3008	schtasks.exe
2896	schtasks.exe
2100	schtasks.exe
960	schtasks.exe
236	schtasks.exe
1820	schtasks.exe
1380	schtasks.exe
2456	schtasks.exe
2920	schtasks.exe
2844	schtasks.exe
1284	schtasks.exe
2384	schtasks.exe
536	schtasks.exe
2824	schtasks.exe
2512	schtasks.exe
2368	schtasks.exe
1984	schtasks.exe
1884	schtasks.exe
1704	schtasks.exe
2192	schtasks.exe
1148	schtasks.exe
2432	schtasks.exe
2372	schtasks.exe
2800	schtasks.exe
1640	schtasks.exe
2484	schtasks.exe
2680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
2348	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
Token: SeDebugPrivilege	2348	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1720	2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe	89
PID 2308 wrote to memory of 1720	2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe	89
PID 2308 wrote to memory of 1720	2308	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe	89
PID 1720 wrote to memory of 2432	1720	cmd.exe	91
PID 1720 wrote to memory of 2432	1720	cmd.exe	91
PID 1720 wrote to memory of 2432	1720	cmd.exe	91
PID 1720 wrote to memory of 2348	1720	cmd.exe	92
PID 1720 wrote to memory of 2348	1720	cmd.exe	92
PID 1720 wrote to memory of 2348	1720	cmd.exe	92

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe
"C:\Users\Admin\AppData\Local\Temp\b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tjOj3FQtya.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2432
- - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\tracing\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\RemotePackages\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507db" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507db" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RCX173A.tmp

Filesize
2.7MB

MD5
d25ec8df0e120162e729c8be087f1a3c

SHA1
458d12ebf9107d02ed6db90f9cf8db2eaf766417

SHA256
1f2912de9cf1d8a2a2d6e213d7fb9fa69e785ee74f039519ff2744ab3f407c51

SHA512
72c2d0a7661ce3a5ada64a87594312cd04551ca42f9e1430db16e32471d8ef25e5bd37b50accb8bebc3152fdbb658c2816d9e252295c201637e3d365614a8f05

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\lsass.exe

Filesize
2.7MB

MD5
9d00a7332c557063af0176683daae977

SHA1
3cb42c42b569d100dad8a0cdbc26c1326b86ca28

SHA256
c8ae2822adcb3f5dc280760f5b38dca967074aa7a0b0db9b530441bbcd5cd793

SHA512
f50712d2150bfd2aee6fd006cc1980bd1dc78346554b845f14736caf6821684a75d3ba7d479ab2b24b06ba0ad3be3714d38b104c7f35e2325612a318684839d5

Download Submit
C:\Program Files (x86)\Microsoft.NET\smss.exe

Filesize
2.7MB

MD5
01b3382a8c32760f2b6fb915dc59e9bc

SHA1
c1f9c9b2fab44914e09135e2e477cd72d047d153

SHA256
37b69083da6bd8dc4461ad589d015c79e99b295933c6384296eca851e6722fe3

SHA512
353cc1a6d2a8f767ece2e9d3113548a2f512e90c5ca73e85a592e5d266a8a64bc0cf0a63b8d58603f8860cd6bbc12a9165ab73b7296589ac1514afa4ea5fd21b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe

Filesize
2.7MB

MD5
17bea9150f7cb09fd68cfb444595f99b

SHA1
d187f82b36f024020b14a91c87efc43af4fcce29

SHA256
b164bc4f2cb199bdb4db47462384a00db708b5c19e6f729e2431a50b64b5e490

SHA512
49d4387b249cb9a4fbe10decae388d5e1e831c692fdfcf34cca4061feb70cc0301649dfcd8a99c2dce931a1170ec8c2c018b25695716a959d0f48daf18fc296f

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe

Filesize
2.7MB

MD5
1c968ee6eff3a21bac73014e799139fe

SHA1
6b03c2ee9a4a050f1e38dccb64d43e1c56b9efe5

SHA256
bb8673ff6671df40fc029ae7089b42222b2959fbce7c72e1a3e339c49b7d4284

SHA512
f3ee8bec0923b94fc5e5f5766fd66df30f832371b254cda1d9e89b812f5aef2c50aa61eba43f0c680ce8e7fc3894077fbf7dacbe2f138b640d6d846175b9a10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjOj3FQtya.bat

Filesize
240B

MD5
967e748b8f1f13d1d1d7cfde367b97b0

SHA1
2deeb79d387cecb922f00be5c93766d5bd1ffbff

SHA256
a659df632b07c85ef463da0627c281d7be7c4716f8e28f96b3abf87f9d2b6965

SHA512
797aed028dc3d021ac8be22af4d2b3b30b33fbeeeac69c7209ef76c0cefef7acab3e249474f50be0832a7b6b4050014c723240fccf27fd5469c7e63c871f310d

Download Submit
C:\Windows\RemotePackages\lsm.exe

Filesize
2.7MB

MD5
c29d09355d1eccb77c2e8814bdca5042

SHA1
f32a24488162154dd75cdedac2f322e4f47d3393

SHA256
bf9fccd7bc15d315dd57fc106ed00937aad2b2993ecfbc4fcea94b56bf664f90

SHA512
7032bb2cd4ffb2923b6827ee68a6ac50843ffce5d9553e629f94a25405f83d45ef2f2fa20b2c7b96c85e23922e4c63bd721b0716ad59f620250cb17049aafda1

Download Submit
C:\Windows\tracing\Idle.exe

Filesize
2.7MB

MD5
ba65161e6e83ddc896f9a5461f93d8f1

SHA1
51ecdadd3f065686e9fc6394685d968215cf4029

SHA256
b8b5f7e2edc5114c9554dde3723b6f6221e4ec5ae0379c7feff8e2bc7398507d

SHA512
264f88cce23bcaa16394f7d22e443bccb5a10ba080acee2d71daaddee24f9e9b3c14435a971d52c4fbf22d83e7fed7a9eea0d55179db88096724b6e32808dacd

Download Submit
memory/2308-16-0x0000000002570000-0x000000000257E000-memory.dmp

Filesize
56KB

Download
memory/2308-7-0x0000000000770000-0x0000000000786000-memory.dmp

Filesize
88KB

Download
memory/2308-10-0x00000000022C0000-0x0000000002316000-memory.dmp

Filesize
344KB

Download
memory/2308-11-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/2308-12-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2308-13-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2308-14-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2308-15-0x0000000002560000-0x000000000256C000-memory.dmp

Filesize
48KB

Download
memory/2308-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2308-17-0x0000000002580000-0x000000000258C000-memory.dmp

Filesize
48KB

Download
memory/2308-18-0x0000000002590000-0x000000000259A000-memory.dmp

Filesize
40KB

Download
memory/2308-19-0x00000000025A0000-0x00000000025AC000-memory.dmp

Filesize
48KB

Download
memory/2308-8-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/2308-9-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download
memory/2308-98-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2308-6-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2308-133-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2308-5-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2308-4-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/2308-3-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2308-2-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2308-1-0x0000000000230000-0x00000000004E4000-memory.dmp

Filesize
2.7MB

Download
memory/2308-289-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-292-0x0000000000070000-0x0000000000324000-memory.dmp

Filesize
2.7MB

Download
memory/2348-293-0x0000000000930000-0x0000000000942000-memory.dmp

Filesize
72KB

Download