dcrat | d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce

Resubmissions

13-01-2025 04:00

250113-ekp6psvlbx 10

12-01-2025 15:33

250112-szhbasxqfw 10

Analysis

max time kernel
872s
max time network
844s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Size

984KB
MD5

808d571c621732642832aaca4a519717
SHA1

cf71f6fc8f7ad0d691cf899928296be33ed46e49
SHA256

d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce
SHA512

f01bb94b9bc2482aebb8862a2cc6a1f43afce1796df373c4d3dd2c33e68f06849c704a4c0a79320f6a1ab04c5227416445c4fe715c18fdfc0bc123f0f79cfb88
SSDEEP

12288:syEIOYTNEIf5AycvEhKIV6tEcln0Ai2a61h3cQ9Fk+ntGoWuzsx1oiLgo+:syErYT+PvXIUln/1GJgo+

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2684	schtasks.exe	31

UAC bypass 3 TTPs 33 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

DCRat payload 19 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1916-1-0x0000000000B00000-0x0000000000BFC000-memory.dmp	dcrat
behavioral1/files/0x00060000000173f4-24.dat	dcrat
behavioral1/files/0x000800000001662e-79.dat	dcrat
behavioral1/files/0x000c000000016c62-102.dat	dcrat
behavioral1/memory/1928-184-0x0000000000370000-0x000000000046C000-memory.dmp	dcrat
behavioral1/files/0x000600000001936b-197.dat	dcrat
behavioral1/memory/1756-198-0x00000000002A0000-0x000000000039C000-memory.dmp	dcrat
behavioral1/memory/2404-203-0x0000000000DA0000-0x0000000000E9C000-memory.dmp	dcrat
behavioral1/memory/1856-204-0x0000000000BB0000-0x0000000000CAC000-memory.dmp	dcrat
behavioral1/memory/2024-208-0x0000000000290000-0x000000000038C000-memory.dmp	dcrat
behavioral1/memory/1332-209-0x0000000000D10000-0x0000000000E0C000-memory.dmp	dcrat
behavioral1/memory/284-212-0x0000000000F20000-0x000000000101C000-memory.dmp	dcrat
behavioral1/memory/1280-214-0x0000000000CE0000-0x0000000000DDC000-memory.dmp	dcrat
behavioral1/memory/924-217-0x0000000000DE0000-0x0000000000EDC000-memory.dmp	dcrat
behavioral1/memory/2928-218-0x0000000000390000-0x000000000048C000-memory.dmp	dcrat
behavioral1/memory/2832-221-0x0000000001060000-0x000000000115C000-memory.dmp	dcrat
behavioral1/memory/2596-224-0x0000000001130000-0x000000000122C000-memory.dmp	dcrat
behavioral1/memory/988-225-0x00000000012C0000-0x00000000013BC000-memory.dmp	dcrat
behavioral1/memory/2312-227-0x0000000000320000-0x000000000041C000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
596	powershell.exe
1380	powershell.exe
2128	powershell.exe
1588	powershell.exe
1776	powershell.exe
776	powershell.exe
780	powershell.exe
1952	powershell.exe
3040	powershell.exe
2220	powershell.exe
2116	powershell.exe
1676	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
1928	smss.exe
1756	csrss.exe
1856	lsm.exe
2404	Idle.exe
1332	System.exe
2024	smss.exe
284	WmiPrvSE.exe
1280	csrss.exe
2928	Idle.exe
924	lsm.exe
2832	sppsvc.exe
988	System.exe
2596	smss.exe
2312	csrss.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\0a1fd5f707cd16	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXF088.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Uninstall Information\WmiPrvSE.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files (x86)\Google\sppsvc.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXF089.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Uninstall Information\WmiPrvSE.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Uninstall Information\24dbde2999530e	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\0a1fd5f707cd16	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF9F3.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Google\sppsvc.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX8E.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Google\RCXFE8A.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCX8F.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF9F4.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
File opened for modification	C:\Program Files (x86)\Google\RCXFE89.tmp	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1732	schtasks.exe
2896	schtasks.exe
2300	schtasks.exe
1704	schtasks.exe
860	schtasks.exe
1492	schtasks.exe
2700	schtasks.exe
2532	schtasks.exe
2588	schtasks.exe
3008	schtasks.exe
1108	schtasks.exe
1668	schtasks.exe
2000	schtasks.exe
320	schtasks.exe
1592	schtasks.exe
316	schtasks.exe
2732	schtasks.exe
2660	schtasks.exe
2912	schtasks.exe
2564	schtasks.exe
2348	schtasks.exe
1508	schtasks.exe
1932	schtasks.exe
864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
1380	powershell.exe
596	powershell.exe
2128	powershell.exe
776	powershell.exe
1776	powershell.exe
2220	powershell.exe
1952	powershell.exe
2116	powershell.exe
1588	powershell.exe
3040	powershell.exe
780	powershell.exe
1676	powershell.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe
1928	smss.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1928	smss.exe
Token: SeDebugPrivilege	1756	csrss.exe
Token: SeDebugPrivilege	2404	Idle.exe
Token: SeDebugPrivilege	1856	lsm.exe
Token: SeDebugPrivilege	2024	smss.exe
Token: SeDebugPrivilege	1332	System.exe
Token: SeDebugPrivilege	284	WmiPrvSE.exe
Token: SeDebugPrivilege	1280	csrss.exe
Token: SeDebugPrivilege	924	lsm.exe
Token: SeDebugPrivilege	2928	Idle.exe
Token: SeDebugPrivilege	2832	sppsvc.exe
Token: SeDebugPrivilege	2596	smss.exe
Token: SeDebugPrivilege	988	System.exe
Token: SeDebugPrivilege	2312	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 596	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	56
PID 1916 wrote to memory of 596	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	56
PID 1916 wrote to memory of 596	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	56
PID 1916 wrote to memory of 1380	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	57
PID 1916 wrote to memory of 1380	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	57
PID 1916 wrote to memory of 1380	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	57
PID 1916 wrote to memory of 776	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	58
PID 1916 wrote to memory of 776	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	58
PID 1916 wrote to memory of 776	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	58
PID 1916 wrote to memory of 1776	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	60
PID 1916 wrote to memory of 1776	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	60
PID 1916 wrote to memory of 1776	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	60
PID 1916 wrote to memory of 1676	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	61
PID 1916 wrote to memory of 1676	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	61
PID 1916 wrote to memory of 1676	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	61
PID 1916 wrote to memory of 2116	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	63
PID 1916 wrote to memory of 2116	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	63
PID 1916 wrote to memory of 2116	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	63
PID 1916 wrote to memory of 2220	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	64
PID 1916 wrote to memory of 2220	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	64
PID 1916 wrote to memory of 2220	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	64
PID 1916 wrote to memory of 1588	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	65
PID 1916 wrote to memory of 1588	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	65
PID 1916 wrote to memory of 1588	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	65
PID 1916 wrote to memory of 780	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	66
PID 1916 wrote to memory of 780	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	66
PID 1916 wrote to memory of 780	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	66
PID 1916 wrote to memory of 3040	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	67
PID 1916 wrote to memory of 3040	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	67
PID 1916 wrote to memory of 3040	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	67
PID 1916 wrote to memory of 1952	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	68
PID 1916 wrote to memory of 1952	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	68
PID 1916 wrote to memory of 1952	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	68
PID 1916 wrote to memory of 2128	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	69
PID 1916 wrote to memory of 2128	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	69
PID 1916 wrote to memory of 2128	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	69
PID 1916 wrote to memory of 1928	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	80
PID 1916 wrote to memory of 1928	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	80
PID 1916 wrote to memory of 1928	1916	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe	80
PID 2128 wrote to memory of 1756	2128	taskeng.exe	83
PID 2128 wrote to memory of 1756	2128	taskeng.exe	83
PID 2128 wrote to memory of 1756	2128	taskeng.exe	83
PID 2128 wrote to memory of 2404	2128	taskeng.exe	84
PID 2128 wrote to memory of 2404	2128	taskeng.exe	84
PID 2128 wrote to memory of 2404	2128	taskeng.exe	84
PID 2128 wrote to memory of 1856	2128	taskeng.exe	85
PID 2128 wrote to memory of 1856	2128	taskeng.exe	85
PID 2128 wrote to memory of 1856	2128	taskeng.exe	85
PID 2128 wrote to memory of 1332	2128	taskeng.exe	87
PID 2128 wrote to memory of 1332	2128	taskeng.exe	87
PID 2128 wrote to memory of 1332	2128	taskeng.exe	87
PID 2128 wrote to memory of 2024	2128	taskeng.exe	86
PID 2128 wrote to memory of 2024	2128	taskeng.exe	86
PID 2128 wrote to memory of 2024	2128	taskeng.exe	86
PID 2128 wrote to memory of 284	2128	taskeng.exe	88
PID 2128 wrote to memory of 284	2128	taskeng.exe	88
PID 2128 wrote to memory of 284	2128	taskeng.exe	88
PID 2128 wrote to memory of 1280	2128	taskeng.exe	89
PID 2128 wrote to memory of 1280	2128	taskeng.exe	89
PID 2128 wrote to memory of 1280	2128	taskeng.exe	89
PID 2128 wrote to memory of 2928	2128	taskeng.exe	90
PID 2128 wrote to memory of 2928	2128	taskeng.exe	90
PID 2128 wrote to memory of 2928	2128	taskeng.exe	90
PID 2128 wrote to memory of 924	2128	taskeng.exe	91

System policy modification 1 TTPs 33 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sppsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe
C:\Users\Admin\AppData\Local\Temp\d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe
  "C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {B8BE51BB-3F66-41BB-8765-3AB3FD2A23D2} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe
  "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1756
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2404
- C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
  C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe
  "C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2024
- C:\Users\Public\System.exe
  C:\Users\Public\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Program Files\Uninstall Information\WmiPrvSE.exe
  "C:\Program Files\Uninstall Information\WmiPrvSE.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:284
- C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe
  "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1280
- C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
  "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
  C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:924
- C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe
  "C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2832
- C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe
  "C:\Users\All Users\Adobe\Acrobat\9.0\smss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2596
- C:\Users\Public\System.exe
  C:\Users\Public\System.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe
  "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe

Filesize
984KB

MD5
46cc3b20be91c6a72d6bbdb06e3464ed

SHA1
9941c238ff7fc868db5f860b999525b2bc0abb3a

SHA256
069e754102e9f7c322cf5ebe801275459d3e51e0e3b6365de9175c49e4f89f40

SHA512
f4e1cf805e655bb00bdfdb7c0a60fac2d361a4ff8f39afda96bbdf2aeafe4f3b4eee412a507251e035f2fc82102a0169c4b956d9d47cf54d4352d486ad0eeb52

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe

Filesize
984KB

MD5
da4d66fe328d749c558da6e3a4899270

SHA1
a7cd9ca71fe9f1ea3217cf8e1633dc811f56a211

SHA256
d9d151ab0ca505bbc07d24e1d4440b39b5e1bc95c2f92fdd9e37a155d4ed141e

SHA512
169a93fe2e293028b85838c469e6a763abefa54b6515f4656a2094140c3cf48ff83eab4486b6229ca73228385cad9b79687424dbf58928164221bb690a9acff6

Download Submit
C:\Program Files\Uninstall Information\WmiPrvSE.exe

Filesize
984KB

MD5
808d571c621732642832aaca4a519717

SHA1
cf71f6fc8f7ad0d691cf899928296be33ed46e49

SHA256
d80fa7b3ff6a9ccf612307c00a81e470e63c53c6d3370ea7f5490de4f5f477ce

SHA512
f01bb94b9bc2482aebb8862a2cc6a1f43afce1796df373c4d3dd2c33e68f06849c704a4c0a79320f6a1ab04c5227416445c4fe715c18fdfc0bc123f0f79cfb88

Download Submit
C:\ProgramData\Adobe\Acrobat\9.0\smss.exe

Filesize
984KB

MD5
bf8228e0a13d6d5d3d07f815703d8119

SHA1
64542068651a5f23ae77a7ad94d265527aaf7b8a

SHA256
87f0f64ccdcbfc5f21a87460069e8ae4171c64132870f9d0391a39d77b1f99c1

SHA512
8690b962b155a506710e2f960945206e9a682a88be7c05cdc7522e724f0a9232ae9d379450d1309ebcfad6245c5632b0d6345af23070fad1b076038b2ac72953

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
460d25eefdb0b48e1eadb1ec1349ef4c

SHA1
854fca1662790e2271de0af0c1073d46b763e9f1

SHA256
f3f6aaa486828e1ee996a3c6c2a8f29df516eb39bb0a80ed99845b16d8ab5177

SHA512
f325e9412035cc3a98c697d9040af2033b24761579a676927a3c68e09497d316bf223609958a16ddefa17862b2349ae098a689e9831bbee24cb66cd0bc006db1

Download Submit
memory/284-212-0x0000000000F20000-0x000000000101C000-memory.dmp

Filesize
1008KB

Download
memory/924-217-0x0000000000DE0000-0x0000000000EDC000-memory.dmp

Filesize
1008KB

Download
memory/988-225-0x00000000012C0000-0x00000000013BC000-memory.dmp

Filesize
1008KB

Download
memory/1280-214-0x0000000000CE0000-0x0000000000DDC000-memory.dmp

Filesize
1008KB

Download
memory/1332-209-0x0000000000D10000-0x0000000000E0C000-memory.dmp

Filesize
1008KB

Download
memory/1380-140-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1380-135-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1756-198-0x00000000002A0000-0x000000000039C000-memory.dmp

Filesize
1008KB

Download
memory/1856-204-0x0000000000BB0000-0x0000000000CAC000-memory.dmp

Filesize
1008KB

Download
memory/1916-2-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1916-4-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/1916-11-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/1916-12-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download
memory/1916-13-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1916-10-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/1916-9-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1916-7-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/1916-185-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1916-8-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/1916-1-0x0000000000B00000-0x0000000000BFC000-memory.dmp

Filesize
1008KB

Download
memory/1916-6-0x00000000004F0000-0x0000000000506000-memory.dmp

Filesize
88KB

Download
memory/1916-14-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/1916-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/1916-3-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/1916-5-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/1916-15-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1928-184-0x0000000000370000-0x000000000046C000-memory.dmp

Filesize
1008KB

Download
memory/2024-208-0x0000000000290000-0x000000000038C000-memory.dmp

Filesize
1008KB

Download
memory/2312-227-0x0000000000320000-0x000000000041C000-memory.dmp

Filesize
1008KB

Download
memory/2404-203-0x0000000000DA0000-0x0000000000E9C000-memory.dmp

Filesize
1008KB

Download
memory/2596-224-0x0000000001130000-0x000000000122C000-memory.dmp

Filesize
1008KB

Download
memory/2832-221-0x0000000001060000-0x000000000115C000-memory.dmp

Filesize
1008KB

Download
memory/2928-218-0x0000000000390000-0x000000000048C000-memory.dmp

Filesize
1008KB

Download