dcrat | 5a47bbdd5a87677ce485cfa5eae97ce572dae896ec0fb306f8b4a2ad8d5f856c

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b34673a6ae78f3a63160d7f87c92a6d4.exe
Size

2.4MB
MD5

b34673a6ae78f3a63160d7f87c92a6d4
SHA1

3e28a8ac30adf1ef1409d58d0b6949bb500b1a09
SHA256

5a47bbdd5a87677ce485cfa5eae97ce572dae896ec0fb306f8b4a2ad8d5f856c
SHA512

5e2d5a4b0bc3225e4bf2d4985a26d23fa435d3044888ffbf93d64fc78838e73d3093a9b285da5b6fa922a9f1f8d707ee658e8dad3c75655b952b8b328d118be4
SSDEEP

49152:ccI39HRdZ+t1/31gbeRexLxkbtPSPGNGzeV5hp4XFUb9n:cjHRu12LxksPGN8eV53AFM

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2724	schtasks.exe	30

UAC bypass 3 TTPs 42 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b34673a6ae78f3a63160d7f87c92a6d4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b34673a6ae78f3a63160d7f87c92a6d4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b34673a6ae78f3a63160d7f87c92a6d4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2212-1-0x0000000000360000-0x00000000005C2000-memory.dmp	dcrat
behavioral1/files/0x00050000000193a4-25.dat	dcrat
behavioral1/memory/2324-37-0x0000000001080000-0x00000000012E2000-memory.dmp	dcrat
behavioral1/memory/1580-59-0x00000000011C0000-0x0000000001422000-memory.dmp	dcrat
behavioral1/memory/264-74-0x0000000000220000-0x0000000000482000-memory.dmp	dcrat
behavioral1/memory/1660-82-0x00000000003E0000-0x0000000000642000-memory.dmp	dcrat
behavioral1/memory/652-90-0x0000000001160000-0x00000000013C2000-memory.dmp	dcrat
behavioral1/memory/1632-126-0x0000000001350000-0x00000000015B2000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

pid	Process
2324	System.exe
2916	System.exe
1436	System.exe
1580	System.exe
2596	System.exe
264	System.exe
1660	System.exe
652	System.exe
1792	System.exe
2436	System.exe
2604	System.exe
2964	System.exe
1632	System.exe

Checks whether UAC is enabled 1 TTPs 28 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b34673a6ae78f3a63160d7f87c92a6d4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b34673a6ae78f3a63160d7f87c92a6d4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
13	pastebin.com
15	pastebin.com
21	pastebin.com
27	pastebin.com
25	pastebin.com
5	pastebin.com
7	pastebin.com
9	pastebin.com
11	pastebin.com
17	pastebin.com
19	pastebin.com
23	pastebin.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	b34673a6ae78f3a63160d7f87c92a6d4.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	b34673a6ae78f3a63160d7f87c92a6d4.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\debug\WIA\WmiPrvSE.exe	b34673a6ae78f3a63160d7f87c92a6d4.exe
File created	C:\Windows\debug\WIA\24dbde2999530e	b34673a6ae78f3a63160d7f87c92a6d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2892	schtasks.exe
1632	schtasks.exe
2768	schtasks.exe
2596	schtasks.exe
2332	schtasks.exe
3000	schtasks.exe
2828	schtasks.exe
2928	schtasks.exe
2616	schtasks.exe
2788	schtasks.exe
2640	schtasks.exe
2812	schtasks.exe
2864	schtasks.exe
2968	schtasks.exe
596	schtasks.exe
2932	schtasks.exe
2756	schtasks.exe
536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2212	b34673a6ae78f3a63160d7f87c92a6d4.exe
2324	System.exe
2916	System.exe
1436	System.exe
1580	System.exe
2596	System.exe
264	System.exe
1660	System.exe
652	System.exe
1792	System.exe
2436	System.exe
2604	System.exe
2964	System.exe
1632	System.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	b34673a6ae78f3a63160d7f87c92a6d4.exe
Token: SeDebugPrivilege	2324	System.exe
Token: SeDebugPrivilege	2916	System.exe
Token: SeDebugPrivilege	1436	System.exe
Token: SeDebugPrivilege	1580	System.exe
Token: SeDebugPrivilege	2596	System.exe
Token: SeDebugPrivilege	264	System.exe
Token: SeDebugPrivilege	1660	System.exe
Token: SeDebugPrivilege	652	System.exe
Token: SeDebugPrivilege	1792	System.exe
Token: SeDebugPrivilege	2436	System.exe
Token: SeDebugPrivilege	2604	System.exe
Token: SeDebugPrivilege	2964	System.exe
Token: SeDebugPrivilege	1632	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1592	2212	b34673a6ae78f3a63160d7f87c92a6d4.exe	49
PID 2212 wrote to memory of 1592	2212	b34673a6ae78f3a63160d7f87c92a6d4.exe	49
PID 2212 wrote to memory of 1592	2212	b34673a6ae78f3a63160d7f87c92a6d4.exe	49
PID 1592 wrote to memory of 1808	1592	cmd.exe	51
PID 1592 wrote to memory of 1808	1592	cmd.exe	51
PID 1592 wrote to memory of 1808	1592	cmd.exe	51
PID 1592 wrote to memory of 2324	1592	cmd.exe	53
PID 1592 wrote to memory of 2324	1592	cmd.exe	53
PID 1592 wrote to memory of 2324	1592	cmd.exe	53
PID 2324 wrote to memory of 2896	2324	System.exe	54
PID 2324 wrote to memory of 2896	2324	System.exe	54
PID 2324 wrote to memory of 2896	2324	System.exe	54
PID 2896 wrote to memory of 444	2896	cmd.exe	56
PID 2896 wrote to memory of 444	2896	cmd.exe	56
PID 2896 wrote to memory of 444	2896	cmd.exe	56
PID 2896 wrote to memory of 2916	2896	cmd.exe	58
PID 2896 wrote to memory of 2916	2896	cmd.exe	58
PID 2896 wrote to memory of 2916	2896	cmd.exe	58
PID 2916 wrote to memory of 888	2916	System.exe	59
PID 2916 wrote to memory of 888	2916	System.exe	59
PID 2916 wrote to memory of 888	2916	System.exe	59
PID 888 wrote to memory of 2200	888	cmd.exe	61
PID 888 wrote to memory of 2200	888	cmd.exe	61
PID 888 wrote to memory of 2200	888	cmd.exe	61
PID 888 wrote to memory of 1436	888	cmd.exe	62
PID 888 wrote to memory of 1436	888	cmd.exe	62
PID 888 wrote to memory of 1436	888	cmd.exe	62
PID 1436 wrote to memory of 544	1436	System.exe	63
PID 1436 wrote to memory of 544	1436	System.exe	63
PID 1436 wrote to memory of 544	1436	System.exe	63
PID 544 wrote to memory of 1728	544	cmd.exe	65
PID 544 wrote to memory of 1728	544	cmd.exe	65
PID 544 wrote to memory of 1728	544	cmd.exe	65
PID 544 wrote to memory of 1580	544	cmd.exe	66
PID 544 wrote to memory of 1580	544	cmd.exe	66
PID 544 wrote to memory of 1580	544	cmd.exe	66
PID 1580 wrote to memory of 2760	1580	System.exe	67
PID 1580 wrote to memory of 2760	1580	System.exe	67
PID 1580 wrote to memory of 2760	1580	System.exe	67
PID 2760 wrote to memory of 2668	2760	cmd.exe	69
PID 2760 wrote to memory of 2668	2760	cmd.exe	69
PID 2760 wrote to memory of 2668	2760	cmd.exe	69
PID 2760 wrote to memory of 2596	2760	cmd.exe	70
PID 2760 wrote to memory of 2596	2760	cmd.exe	70
PID 2760 wrote to memory of 2596	2760	cmd.exe	70
PID 2596 wrote to memory of 2884	2596	System.exe	71
PID 2596 wrote to memory of 2884	2596	System.exe	71
PID 2596 wrote to memory of 2884	2596	System.exe	71
PID 2884 wrote to memory of 1852	2884	cmd.exe	73
PID 2884 wrote to memory of 1852	2884	cmd.exe	73
PID 2884 wrote to memory of 1852	2884	cmd.exe	73
PID 2884 wrote to memory of 264	2884	cmd.exe	74
PID 2884 wrote to memory of 264	2884	cmd.exe	74
PID 2884 wrote to memory of 264	2884	cmd.exe	74
PID 264 wrote to memory of 536	264	System.exe	75
PID 264 wrote to memory of 536	264	System.exe	75
PID 264 wrote to memory of 536	264	System.exe	75
PID 536 wrote to memory of 1592	536	cmd.exe	77
PID 536 wrote to memory of 1592	536	cmd.exe	77
PID 536 wrote to memory of 1592	536	cmd.exe	77
PID 536 wrote to memory of 1660	536	cmd.exe	78
PID 536 wrote to memory of 1660	536	cmd.exe	78
PID 536 wrote to memory of 1660	536	cmd.exe	78
PID 1660 wrote to memory of 1420	1660	System.exe	79

System policy modification 1 TTPs 42 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b34673a6ae78f3a63160d7f87c92a6d4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b34673a6ae78f3a63160d7f87c92a6d4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b34673a6ae78f3a63160d7f87c92a6d4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b34673a6ae78f3a63160d7f87c92a6d4.exe
"C:\Users\Admin\AppData\Local\Temp\b34673a6ae78f3a63160d7f87c92a6d4.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xTad22mSPj.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1808
- - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
    "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2324
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:444
    - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2200
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1728
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2668
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1852
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1592
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
        16⤵
        
        PID:1420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2476
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
        18⤵
        
        PID:916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1620
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        20⤵
        
        PID:992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2540
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"
        22⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2796
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        24⤵
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2460
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat"
        26⤵
        
        PID:2712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2728
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe"
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\debug\WIA\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\debug\WIA\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\System.exe

Filesize
2.4MB

MD5
b34673a6ae78f3a63160d7f87c92a6d4

SHA1
3e28a8ac30adf1ef1409d58d0b6949bb500b1a09

SHA256
5a47bbdd5a87677ce485cfa5eae97ce572dae896ec0fb306f8b4a2ad8d5f856c

SHA512
5e2d5a4b0bc3225e4bf2d4985a26d23fa435d3044888ffbf93d64fc78838e73d3093a9b285da5b6fa922a9f1f8d707ee658e8dad3c75655b952b8b328d118be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

Filesize
224B

MD5
1e1a7a72c6cf7024b23dc275e28e37e2

SHA1
7e5286c35bd3eeaf201de7d631824d657e5eb43c

SHA256
32a1931a200e556471ff6efa35698da34beff7665128a7754637b1ef88b153df

SHA512
8c4ead3ece34dcef3fc58e366c681ed4c23834f9349458451b6fc6a2a5f55c7523454eca4491c010fca8dab72d9ad6a25ae9a87924a45942f405522dc2784ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

Filesize
224B

MD5
01ba2f0fcd21f6af403dbf9791efb1fa

SHA1
09edd01f829259699430b71b72fb08f1994a9ef0

SHA256
4a5496afb144199a797de1aaca219fcd8648bfcde70f4b801d69eda444c359b0

SHA512
626db11433644cded8619b760bee0dae0d9eb0f7feabf9949090109d3181071c46f9bb74ad3e1ec481f6d214cadf01d0a2e3926fc6046f693b87ccac0ade5e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

Filesize
224B

MD5
22bcdbb141d60a5698e04373d53f2797

SHA1
c819a3b2f382644daa96b93e40205e63540bd4ce

SHA256
1122a4b1443d4002bc4fb133aa9b23c526a049a676b77ff1c0b4075fb6f3ca64

SHA512
16a224936cc2fe23529aaf99a505c1859245d48456b9325edf7c5b2fea6e5bb8471f8d9d46b7efdfb9b76dceaeb2965017a5eb6257b13daa5bcf868ba215f9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

Filesize
224B

MD5
43b735590a8b6e99947771b5c8116067

SHA1
1460e61ae06e5e8dc91926dcce6acba8ff660634

SHA256
718f4b2133ba4c8f649e18caa7f08a53e3bcc45710268ef094456728ba5acdf2

SHA512
9f61d43d82144aa35f47ee4e07e506c5d6bdd0bb32df76361544cb1b6d4d1635ff87c1231ecae59d8538134fa8c96a01a9903da2fa461a93d03d45623cf34e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat

Filesize
224B

MD5
92ec6636fd0e5536559a862e89b4e78d

SHA1
f39e706698319727f35d3e8ab3bebe111999224d

SHA256
8b2961e3d2de34bfd17fd12a4416e1e800e744da27864f7d20491abfb19b12c6

SHA512
16505451c80b109753619e410665b4b9b12211d122d9114bb869f5afeed28710528d7d07cd9abc95d94d7b5da48be167c7261273b4eddca46d62a934e18431c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat

Filesize
224B

MD5
9e8e7222347cdd1b677033b2d7899e70

SHA1
3a9fc08de82a552f152146baf8c2d11f75ce3822

SHA256
f4d392b7021fd2858078d790930e55f1570170758511052fc66e114693f716ac

SHA512
9841d9be17f31ed97dcf6077cfbb364c372595953043d35bdf40501bde77d5877ddc079b3051adb2394453b7254194c3ac0bbfd60e06e1749ef8f91358361c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat

Filesize
224B

MD5
d4e5caba310649184c60414bfe79170b

SHA1
f9c4079f0b4a86915e01c0fe28ae8a91a7379df4

SHA256
5c06757b8744b39ca72675bf580ea4bf87bf7d4cb3f42187501323474bd38de6

SHA512
2ee78ecd1a985d6fcedbeadc22bf058b0ba1fdf5ea3ba54b7984df7713a42ae9c860f44cb02a740ef032e64709a0fe8383e0087bafd5c5fa349e342d87b9db82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
224B

MD5
8866251cbe8c9e431e03a67328bbd277

SHA1
4bbb3462ad5e13e2ad331c256b343903f2d082df

SHA256
96865065b994a0e6163a14c4bfe2221b3e2650b50d345786d8265f2ce16f8cac

SHA512
8047f42e2bfb95ebc6971db5cc6aad25087887e14de04e6bbc03c18b46becace180e7c7930419d4785fd9120f4b8fa1aba036e3ab8d19a7c725fda3ed555c836

Download Submit
C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

Filesize
224B

MD5
76b88c3d04baab9ee35ba20f533cdf93

SHA1
e61252ecb0d27e374cb2c2a3fdeac3a0391415cc

SHA256
64a50f5b9bc4e6ad1c64a68ff67880be1544d4c575dc52cbb273b750e0f370e7

SHA512
171e0e79e0565efdc0afde55c9371de27513d5af7a0e5361d60ac894e5ea859c77027c805de0efb93bdb58e2c90b94688d124066ffc404e565d27e8b06089d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xTad22mSPj.bat

Filesize
224B

MD5
8b7ceb6b281635815f92f7d47b4fc22b

SHA1
7799980d6c585eadc02fd29e522e752f4b43119d

SHA256
1892fad15da64a94d566ad31c72d07d0b3c78539ac8f3c4eff9a5ad9f2a184e7

SHA512
9ed105c5a700aa6629566dea6290def25c74e7316abe8d00c3dcd0a0b81a39d76ec088b4696320a494865831838c75c33db1e1ea28984d8ba79fac6f14474fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

Filesize
224B

MD5
2eea6398c1b151bfb40c109681bc6c0f

SHA1
9589d0a945b8b963603d81e55ce2d060f34daa34

SHA256
66f7faea931fb5e23e5aaf75dcc26ecaa542f86382782291a1ebe1903394029d

SHA512
7adceac1a60c7e781ab61d58b969d2681c9faead4d3d638e18be8aea076cb1a7b9741dc9e8bd9a4857f59414009286d2ceecfd26039b1f0a640a0e33cd16978c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
224B

MD5
62985b6707a83ebfee06baba9967dd27

SHA1
463ae89e4037cb73cebd07e5a93381cf0834664b

SHA256
bf0c2da614740ed3424b1f96768251c6a4e42dd6aec99c390c5844df81f21750

SHA512
9230110aa3cbec10928651e015cea27562fa141083183043aeb4a53a3d036527cc50c5d6b87aeb7abb029eae74e131a15a0ea1c84369b38f37ec2387b6846ceb

Download Submit
memory/264-75-0x0000000002170000-0x00000000021C6000-memory.dmp

Filesize
344KB

Download
memory/264-74-0x0000000000220000-0x0000000000482000-memory.dmp

Filesize
2.4MB

Download
memory/652-90-0x0000000001160000-0x00000000013C2000-memory.dmp

Filesize
2.4MB

Download
memory/1580-59-0x00000000011C0000-0x0000000001422000-memory.dmp

Filesize
2.4MB

Download
memory/1580-60-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/1632-126-0x0000000001350000-0x00000000015B2000-memory.dmp

Filesize
2.4MB

Download
memory/1660-83-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1660-82-0x00000000003E0000-0x0000000000642000-memory.dmp

Filesize
2.4MB

Download
memory/1792-97-0x0000000000300000-0x0000000000356000-memory.dmp

Filesize
344KB

Download
memory/1792-98-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/2212-11-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2212-15-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2212-1-0x0000000000360000-0x00000000005C2000-memory.dmp

Filesize
2.4MB

Download
memory/2212-3-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2212-5-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2212-33-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-16-0x0000000002190000-0x000000000219E000-memory.dmp

Filesize
56KB

Download
memory/2212-2-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2212-14-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/2212-4-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2212-13-0x0000000002160000-0x000000000216C000-memory.dmp

Filesize
48KB

Download
memory/2212-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

Filesize
4KB

Download
memory/2212-12-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/2212-10-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2212-9-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2212-8-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2212-7-0x0000000000840000-0x0000000000896000-memory.dmp

Filesize
344KB

Download
memory/2212-6-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/2324-37-0x0000000001080000-0x00000000012E2000-memory.dmp

Filesize
2.4MB

Download
memory/2324-38-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/2436-105-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/2596-67-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2604-112-0x0000000000C60000-0x0000000000CB6000-memory.dmp

Filesize
344KB

Download
memory/2916-46-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/2916-45-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/2964-119-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download