dcrat | d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce

Resubmissions

13/01/2025, 04:00

250113-ek259svldv 10

12/01/2025, 15:28

250112-swpwzazrdl 10

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
12/01/2025, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Size

984KB
MD5

808d571c621732642832aaca4a519717
SHA1

cf71f6fc8f7ad0d691cf899928296be33ed46e49
SHA256

d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce
SHA512

f01bb94b9bc2482aebb8862a2cc6a1f43afce1796df373c4d3dd2c33e68f06849c704a4c0a79320f6a1ab04c5227416445c4fe715c18fdfc0bc123f0f79cfb88
SSDEEP

12288:syEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgo+:syErYT+PvXIUln/1GJgo+

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1500	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1500	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1804-1-0x0000000000860000-0x000000000095C000-memory.dmp	dcrat
behavioral1/files/0x00050000000193df-24.dat	dcrat
behavioral1/files/0x0007000000018704-82.dat	dcrat
behavioral1/files/0x0006000000019512-92.dat	dcrat
behavioral1/files/0x000a0000000193df-138.dat	dcrat
behavioral1/files/0x0007000000019509-149.dat	dcrat
behavioral1/files/0x000700000001957e-160.dat	dcrat
behavioral1/files/0x0008000000019621-183.dat	dcrat
behavioral1/files/0x000800000001962b-205.dat	dcrat
behavioral1/memory/2448-281-0x0000000000870000-0x000000000096C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1952	powershell.exe
2992	powershell.exe
2772	powershell.exe
1120	powershell.exe
932	powershell.exe
2948	powershell.exe
1796	powershell.exe
2880	powershell.exe
2288	powershell.exe
1112	powershell.exe
1944	powershell.exe
2712	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	csrss.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\RCXD190.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCXD675.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXDF63.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\csrss.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Internet Explorer\f3b6ecef712a24	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\VideoLAN\VLC\csrss.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCXD607.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Internet Explorer\spoolsv.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Google\Update\wininit.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXD8E7.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\spoolsv.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXDF62.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Google\Update\wininit.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Google\Update\56085415360792	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\42af1c969fbb7b	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\VideoLAN\VLC\886983d96e3d3e	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXD191.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXD879.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\taskhost.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Windows\LiveKernelReports\b75386f1303e64	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXD395.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXD403.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Windows\LiveKernelReports\taskhost.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2940	schtasks.exe
2636	schtasks.exe
2424	schtasks.exe
1760	schtasks.exe
2596	schtasks.exe
2908	schtasks.exe
808	schtasks.exe
924	schtasks.exe
2808	schtasks.exe
2756	schtasks.exe
1872	schtasks.exe
2256	schtasks.exe
1648	schtasks.exe
1376	schtasks.exe
1656	schtasks.exe
1984	schtasks.exe
2892	schtasks.exe
2444	schtasks.exe
2020	schtasks.exe
2968	schtasks.exe
2972	schtasks.exe
684	schtasks.exe
1384	schtasks.exe
1840	schtasks.exe
2800	schtasks.exe
2868	schtasks.exe
2708	schtasks.exe
1540	schtasks.exe
852	schtasks.exe
2512	schtasks.exe
2836	schtasks.exe
2996	schtasks.exe
2084	schtasks.exe
1636	schtasks.exe
2416	schtasks.exe
1960	schtasks.exe
1484	schtasks.exe
2212	schtasks.exe
1712	schtasks.exe
640	schtasks.exe
824	schtasks.exe
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
2288	powershell.exe
1796	powershell.exe
1952	powershell.exe
1944	powershell.exe
2880	powershell.exe
2712	powershell.exe
2772	powershell.exe
1120	powershell.exe
2992	powershell.exe
932	powershell.exe
2948	powershell.exe
1112	powershell.exe
2448	csrss.exe
2448	csrss.exe
2448	csrss.exe
2448	csrss.exe
2448	csrss.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2448	csrss.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 1796	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	74
PID 1804 wrote to memory of 1796	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	74
PID 1804 wrote to memory of 1796	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	74
PID 1804 wrote to memory of 2880	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	75
PID 1804 wrote to memory of 2880	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	75
PID 1804 wrote to memory of 2880	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	75
PID 1804 wrote to memory of 2288	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	76
PID 1804 wrote to memory of 2288	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	76
PID 1804 wrote to memory of 2288	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	76
PID 1804 wrote to memory of 2772	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	77
PID 1804 wrote to memory of 2772	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	77
PID 1804 wrote to memory of 2772	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	77
PID 1804 wrote to memory of 2992	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	78
PID 1804 wrote to memory of 2992	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	78
PID 1804 wrote to memory of 2992	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	78
PID 1804 wrote to memory of 1952	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	80
PID 1804 wrote to memory of 1952	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	80
PID 1804 wrote to memory of 1952	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	80
PID 1804 wrote to memory of 1112	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	82
PID 1804 wrote to memory of 1112	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	82
PID 1804 wrote to memory of 1112	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	82
PID 1804 wrote to memory of 1944	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	83
PID 1804 wrote to memory of 1944	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	83
PID 1804 wrote to memory of 1944	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	83
PID 1804 wrote to memory of 1120	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	84
PID 1804 wrote to memory of 1120	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	84
PID 1804 wrote to memory of 1120	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	84
PID 1804 wrote to memory of 2712	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	85
PID 1804 wrote to memory of 2712	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	85
PID 1804 wrote to memory of 2712	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	85
PID 1804 wrote to memory of 932	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	86
PID 1804 wrote to memory of 932	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	86
PID 1804 wrote to memory of 932	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	86
PID 1804 wrote to memory of 2948	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	87
PID 1804 wrote to memory of 2948	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	87
PID 1804 wrote to memory of 2948	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	87
PID 1804 wrote to memory of 2668	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	98
PID 1804 wrote to memory of 2668	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	98
PID 1804 wrote to memory of 2668	1804	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	98
PID 2668 wrote to memory of 1384	2668	cmd.exe	100
PID 2668 wrote to memory of 1384	2668	cmd.exe	100
PID 2668 wrote to memory of 1384	2668	cmd.exe	100
PID 2668 wrote to memory of 2448	2668	cmd.exe	101
PID 2668 wrote to memory of 2448	2668	cmd.exe	101
PID 2668 wrote to memory of 2448	2668	cmd.exe	101

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
"C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f3c4kdafJa.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1384
- - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe
    "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ced" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ced" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Updater6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Adobe\Updater6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
984KB

MD5
bff04a428b9804f9dbf724ae12b40972

SHA1
5326f6b59d55a32582b144794aec55c9b8f1ac64

SHA256
110c761208a2f1b7f3d8cc1084b09968879204a88e5c1d3359677c17ac2d7c1d

SHA512
1de3c4292f0918112b1c8d824b022b0aa5c26132a4d0d037f6354047a728c78cb127023d8b06e909b63f0325d3445b5ce21a0e4b96b873b38972775846ce73c7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RCXC8A3.tmp

Filesize
984KB

MD5
68ed46532accd01427c17de8a3e46dba

SHA1
aa19c5af73ee8c0a0d798cb8263b6a9a034625ca

SHA256
08024cbedfeb2e3e05af74725bbe1d3022506ed74adc7758dddce924cc281002

SHA512
47c2b2128d7764bd27efa0291681922cb396b21f503f5a3cfc5e33eb144d03cb4e7a407efbc1ad496b128e12a634e3d5f9505ac2cb21bb06256f14366714d090

Download Submit
C:\Program Files (x86)\Internet Explorer\spoolsv.exe

Filesize
984KB

MD5
1c41f6acd0db3f74e15f1533e590c49e

SHA1
a44f91244e2d1f0955f4942acdf2d9790cc277b5

SHA256
42553285809ed39b8925d1a2796a25c371fe10fb392ebfcddb6aada054b3e50a

SHA512
c3c957f156100d3423cb58f471f0349d010a17360baa6dd39663cbdc4e0a4843003e44cf587114c15a1712274338daec8cbf9e51733bdb76d771914509078c24

Download Submit
C:\Program Files (x86)\Windows Defender\es-ES\audiodg.exe

Filesize
984KB

MD5
0a13b776767b66c107853adfc9f65292

SHA1
48bdf7f09a81494c5d92c332d08172a5d7566cba

SHA256
5f2803aa33a3b306ac4f3bd5efb51a6ec5419054f769536c15b37a2cc7a502ae

SHA512
f72a9dc24f9bd7da5697273be8d515224f72398a2d4ca52fe7369539cfb47904d4f0499e02c3d4f94ed8c9f37f1d610cce4f84c6ede45687e03f07fd083497fd

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe

Filesize
984KB

MD5
c988938b814c8977e7be9fd2fab1ff5c

SHA1
450cc190675956a9cc2d1ba02c640c2d7f6e6ebd

SHA256
84ce24e855d3a5b7c9d5cd821ca6c3dbc973d84b3f70454aa75c9f6d5e627652

SHA512
7a95bd4195ea4ab6f51d20ed81662e4237749bf5fdc8d28d996b3df6ce9122573eccc4a8aeaf6c3402711febf82069abb425701ff978a2c0c256bd6a74a317e2

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe

Filesize
984KB

MD5
02080655b5d068dba4a71712274443c4

SHA1
0c04d012929abea7327a3500bf6f97a41f3cdded

SHA256
999d8df9b465c13fc13024265dec808aabbd8460dd44fbe5939dbc66aecefea5

SHA512
3f9a92c9a1bfb766267bcec0eb5084312ee39781da0c025c6cf85f9a35d8247d83605efbd944a3c9924223a256b494ce01ad80605e522f6c45f0f568f129ada4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3c4kdafJa.bat

Filesize
223B

MD5
6b1d5e6d1cfd99b8d2bebe3c732b1de9

SHA1
e97734d45565a61fe7d16c45b078963d81236189

SHA256
662beaa6eb9defe7560f3bfe6e81cdbaf50910ae338b8adf1162de531b88ede1

SHA512
7ce6f99c576754333f39d92a066df2906fbf070c9062a152ff073ebe5ed483b2bababffd0e02a872328c039ec2691149892842504d6a26cf6ebcbd1aa9092f02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
de45c15feabd059a6b723e7a5d9634f4

SHA1
56d036b5906baf12f93cb003bc8fdf272af5e058

SHA256
4cd8a8cfb193a122d3da5b540382560a5b1de3b8a226126d81828525c8ddc54e

SHA512
41ea76a306a4d74ca6d65c79b538e5b83e4305f84d8618f930430c072628313d623d7fe80d8642f952b455a49ed83fa30783e2cc8886385bc22fdb10c31389ee

Download Submit
C:\Users\Default\Downloads\WmiPrvSE.exe

Filesize
984KB

MD5
808d571c621732642832aaca4a519717

SHA1
cf71f6fc8f7ad0d691cf899928296be33ed46e49

SHA256
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce

SHA512
f01bb94b9bc2482aebb8862a2cc6a1f43afce1796df373c4d3dd2c33e68f06849c704a4c0a79320f6a1ab04c5227416445c4fe715c18fdfc0bc123f0f79cfb88

Download Submit
C:\Windows\LiveKernelReports\taskhost.exe

Filesize
984KB

MD5
d561f2b7d47379e3497959a9a605b757

SHA1
673344ecc7ec1e2fef2f3d4efc0fcee77674e1d7

SHA256
73bd0d123a564a4fc77448c09b71ed7e767c64afe80f4169a6e3ab0f65de8e1f

SHA512
d0ae941863b920170e0f065083b9696affbccfa57f9fce827c08c9c259c66a38b49e7974ff983aa7b25d32e11b2d7589af18f3230fbb82324dfca5ed9bcc8d54

Download Submit
memory/1804-15-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1804-5-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/1804-12-0x0000000002120000-0x000000000212E000-memory.dmp

Filesize
56KB

Download
memory/1804-13-0x0000000002130000-0x000000000213C000-memory.dmp

Filesize
48KB

Download
memory/1804-9-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/1804-14-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/1804-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/1804-8-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/1804-7-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/1804-4-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/1804-11-0x0000000002110000-0x0000000002118000-memory.dmp

Filesize
32KB

Download
memory/1804-6-0x0000000000790000-0x00000000007A6000-memory.dmp

Filesize
88KB

Download
memory/1804-10-0x0000000002100000-0x000000000210C000-memory.dmp

Filesize
48KB

Download
memory/1804-186-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/1804-3-0x0000000000750000-0x000000000075E000-memory.dmp

Filesize
56KB

Download
memory/1804-210-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1804-1-0x0000000000860000-0x000000000095C000-memory.dmp

Filesize
1008KB

Download
memory/1804-216-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1804-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/2288-230-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/2288-227-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2448-281-0x0000000000870000-0x000000000096C000-memory.dmp

Filesize
1008KB

Download