dcrat | f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21

Analysis

max time kernel
92s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Size

2.7MB
MD5

974e955c30ae5c68c82af0fd2001c330
SHA1

f52e77c911f388ba9ec33a6f5c18450c440cfb52
SHA256

f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21
SHA512

298319af2faf835ee81496c950e45f9e4ea70dbc9d7406c854dfa1a12411c0be6503ee9e9fca179ad035df2698877a2ed6458a1ad096fdf088b555227a711653
SSDEEP

49152:MDkZWCF2T8juUND4YQxZzfllulb0fnyN27mEGnjYEhQ+QK:t4CF2sjELplCbmyN27PxEhQ+

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	244	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	3024	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3024	schtasks.exe	84

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/2780-1-0x0000000000320000-0x00000000005D4000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ccb-30.dat	dcrat
behavioral2/files/0x000b000000023cfe-97.dat	dcrat
behavioral2/files/0x0008000000023cc8-119.dat	dcrat
behavioral2/files/0x0009000000023cd4-164.dat	dcrat
behavioral2/files/0x000c000000023cdb-199.dat	dcrat
behavioral2/files/0x000b000000023cec-253.dat	dcrat
behavioral2/files/0x0008000000023d05-281.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe

Executes dropped EXE 1 IoCs

pid	Process
440	Registry.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXBA64.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Windows Defender\explorer.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files\Internet Explorer\121e5b5079f7c0	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\Idle.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\7-Zip\SearchApp.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX9F83.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXA6AC.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files\7-Zip\38384e6a620884	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Internet Explorer\dllhost.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXA1A8.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCXA429.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files\7-Zip\SearchApp.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\7-Zip\RCX9CE0.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX9F05.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Internet Explorer\sysmon.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Windows Defender\7a0fd90576e088	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\7-Zip\RCX9CE1.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXB9E6.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\Idle.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\cc11b995f2a76d	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXA6BD.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\dllhost.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files\Internet Explorer\sysmon.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\6ccacd8608530f	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXA1A7.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\explorer.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\RCXA4A7.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Internet Explorer\5940a34987c991	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXBE8E.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXBE9E.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\ee2ad38f3d4382	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RCX9ADB.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXA93F.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\Registry.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\appcompat\Programs\RCXB7C1.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\fr-FR\e6c9b481da804f	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCXA93E.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\Panther\actionqueue\OfficeClickToRun.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\fr-FR\OfficeClickToRun.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\WaaS\tasks\csrss.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCXC5C9.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\appcompat\Programs\unsecapp.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RCX9A5D.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\fr-FR\RCXADD6.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\121e5b5079f7c0	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\Prefetch\ReadyBoot\Registry.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\appcompat\Programs\unsecapp.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\Panther\actionqueue\OfficeClickToRun.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\Panther\actionqueue\e6c9b481da804f	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\fr-FR\RCXAE54.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\Panther\actionqueue\RCXC54B.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\sysmon.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\sysmon.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\CSC\RuntimeBroker.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File created	C:\Windows\appcompat\Programs\29c1c3cc0f7685	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\fr-FR\OfficeClickToRun.exe	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
File opened for modification	C:\Windows\appcompat\Programs\RCXB7D2.tmp	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4000	schtasks.exe
4836	schtasks.exe
3872	schtasks.exe
3080	schtasks.exe
1916	schtasks.exe
2784	schtasks.exe
2688	schtasks.exe
4740	schtasks.exe
4596	schtasks.exe
244	schtasks.exe
5028	schtasks.exe
3400	schtasks.exe
3660	schtasks.exe
4808	schtasks.exe
668	schtasks.exe
3540	schtasks.exe
1692	schtasks.exe
3368	schtasks.exe
216	schtasks.exe
516	schtasks.exe
4384	schtasks.exe
1588	schtasks.exe
2276	schtasks.exe
3680	schtasks.exe
3688	schtasks.exe
3032	schtasks.exe
4964	schtasks.exe
4860	schtasks.exe
2380	schtasks.exe
3288	schtasks.exe
3612	schtasks.exe
2128	schtasks.exe
2116	schtasks.exe
792	schtasks.exe
4628	schtasks.exe
3892	schtasks.exe
5116	schtasks.exe
316	schtasks.exe
2988	schtasks.exe
3988	schtasks.exe
4780	schtasks.exe
1248	schtasks.exe
3284	schtasks.exe
3472	schtasks.exe
4056	schtasks.exe
3956	schtasks.exe
4168	schtasks.exe
2144	schtasks.exe
228	schtasks.exe
2848	schtasks.exe
3320	schtasks.exe
2336	schtasks.exe
3268	schtasks.exe
4528	schtasks.exe
3940	schtasks.exe
3772	schtasks.exe
4736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
440	Registry.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Token: SeDebugPrivilege	440	Registry.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 392	2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe	148
PID 2780 wrote to memory of 392	2780	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe	148
PID 392 wrote to memory of 4736	392	cmd.exe	150
PID 392 wrote to memory of 4736	392	cmd.exe	150
PID 392 wrote to memory of 440	392	cmd.exe	151
PID 392 wrote to memory of 440	392	cmd.exe	151

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Registry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Registry.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe
"C:\Users\Admin\AppData\Local\Temp\f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tVUxPy0Pel.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4736
- - C:\Windows\Prefetch\ReadyBoot\Registry.exe
    "C:\Windows\Prefetch\ReadyBoot\Registry.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\7-Zip\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21f" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21" /sc ONLOGON /tr "'C:\Users\Default\Templates\f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21f" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\Programs\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\Programs\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\actionqueue\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\actionqueue\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe

Filesize
2.7MB

MD5
6ec6ebce4733f0ae0643d727a5e0eca8

SHA1
1b77b8d0d9ea0df1e8186857231519b659facec9

SHA256
5430cf299127e1eab13b2249d4c9cfa80efff4fcf5af185a6306fc28e4c85399

SHA512
7a164040b820bfa17cc1f64927408749fe66a162aa7e8d41e503f2e77286548b2b56fdcaa10824f1434a482f2694ea3ee0cccd5dffcce67c1d91015b7fa24893

Download Submit
C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe

Filesize
2.7MB

MD5
974e955c30ae5c68c82af0fd2001c330

SHA1
f52e77c911f388ba9ec33a6f5c18450c440cfb52

SHA256
f3b87a68e3780951dce0104da18f6e75c860c3aa830f9b4a0a4508ba75184c21

SHA512
298319af2faf835ee81496c950e45f9e4ea70dbc9d7406c854dfa1a12411c0be6503ee9e9fca179ad035df2698877a2ed6458a1ad096fdf088b555227a711653

Download Submit
C:\Program Files (x86)\Internet Explorer\ja-JP\winlogon.exe

Filesize
2.7MB

MD5
5cd5df64a391f46c9670fae792f4d831

SHA1
34202d437887bd25741d64ec829fb67d7ab966bb

SHA256
120c7e42df5e0bf65026db0cde067637d3f1bffae1de13a080dbde3757ce96d7

SHA512
a663434853e3278987d2fe13cfd0d78f9a2edff6db1c6f46d9ced088c3ac6a01d3803a93fdb581474996df463ee1d888cb582a6e046b9f34141228a8fd37086e

Download Submit
C:\Recovery\WindowsRE\unsecapp.exe

Filesize
2.7MB

MD5
b6c90632d699f30a21c0a04f8fdbfa8e

SHA1
f6698f75ab6f6c85cffe3cbf3e3de42fd3b74adb

SHA256
16cccd27b1024b45260838aa6ee5df84261ba21b6471c5b72b4705485fb31a4f

SHA512
e39df51d69713afccd3c4cfc36f48b09989840330457098011a8817cbfc0b1af591804c942cdbecf5255287facfb81b8bc937b140932531d47ea25b65065a4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tVUxPy0Pel.bat

Filesize
207B

MD5
f197ed689f8a4cc655687a69196b398a

SHA1
84c113e3a674f93d44826d95bd765abdbcc1bead

SHA256
b28da3207c195d52e2536a75bd14723d36bc0e5c94a06523e0fab980fa469014

SHA512
4b29bfae8094863552ec2708829e6e14ad256d24f1cf8ae1002fc80cacd27903de94d31edae7619e7773617f23305928fcda62aa968199d8c9d2a7293ca9527d

Download Submit
C:\Users\Admin\RCXC0B3.tmp

Filesize
2.7MB

MD5
a1297156725ea9b4e1f5c1d9394525fe

SHA1
02f470e86ebea0f0a2b59cdff0f9e4174f4d9c51

SHA256
0c9563f644a4a429e6d7811fe7a3de1010b106bbb92219cc5206b96651a87f06

SHA512
3e3cb37ba4630aa291f6035438bf821ed94f8c8c52e302f3f5157ad820ddf3218eaac7d381ae6f496b9afdb4d491e9c3036c18a80d9629f4c883cfca64420b0e

Download Submit
C:\Windows\Panther\actionqueue\OfficeClickToRun.exe

Filesize
2.7MB

MD5
452e2540a8781066332b8841ea055805

SHA1
e76f311f78175d507e1ef08cdfb895b43e76053a

SHA256
720834940044f5957fe5a8c30dbe9f41357a7026976dd98fca672e4fd37b9e48

SHA512
60223dc2d8e4a5e1109ff639b379a8e542190a55227e7c6b98543f65279c2e6f137f98c1c315f0b7d64289f2b8af53d4cdd84dbb27e036eb03e39cba3d81a6d8

Download Submit
C:\Windows\fr-FR\OfficeClickToRun.exe

Filesize
2.7MB

MD5
ec30e2fb6f580ad0fbb2464e6b548bf3

SHA1
321e70f949a9b993a255c62a9d1b95f1b891f490

SHA256
fef32db47de687c5813cd61c1201ad8f7e2b3b26e86ec9e78371fa35f82db96f

SHA512
4760701fa1c979ad4f6cabb315f7169aa80208acdde57577a774d7c81831b6d523f849b4a9d3e549105a85f24ad52dc23f9095c1370072c754747b0e7a577a1f

Download Submit
memory/440-296-0x0000000002F90000-0x0000000002FA2000-memory.dmp

Filesize
72KB

Download
memory/440-295-0x000000001C080000-0x000000001C0D6000-memory.dmp

Filesize
344KB

Download
memory/2780-9-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2780-8-0x0000000002840000-0x0000000002856000-memory.dmp

Filesize
88KB

Download
memory/2780-12-0x00000000028C0000-0x00000000028C8000-memory.dmp

Filesize
32KB

Download
memory/2780-13-0x000000001B930000-0x000000001B942000-memory.dmp

Filesize
72KB

Download
memory/2780-14-0x000000001BE90000-0x000000001C3B8000-memory.dmp

Filesize
5.2MB

Download
memory/2780-17-0x000000001BA80000-0x000000001BA8C000-memory.dmp

Filesize
48KB

Download
memory/2780-16-0x000000001B970000-0x000000001B978000-memory.dmp

Filesize
32KB

Download
memory/2780-15-0x000000001B960000-0x000000001B968000-memory.dmp

Filesize
32KB

Download
memory/2780-18-0x000000001B980000-0x000000001B98E000-memory.dmp

Filesize
56KB

Download
memory/2780-19-0x000000001B990000-0x000000001B99C000-memory.dmp

Filesize
48KB

Download
memory/2780-20-0x000000001B9A0000-0x000000001B9AA000-memory.dmp

Filesize
40KB

Download
memory/2780-21-0x000000001B9B0000-0x000000001B9BC000-memory.dmp

Filesize
48KB

Download
memory/2780-5-0x0000000002870000-0x00000000028C0000-memory.dmp

Filesize
320KB

Download
memory/2780-11-0x000000001B2D0000-0x000000001B326000-memory.dmp

Filesize
344KB

Download
memory/2780-0-0x00007FFBC5133000-0x00007FFBC5135000-memory.dmp

Filesize
8KB

Download
memory/2780-10-0x000000001B2B0000-0x000000001B2BA000-memory.dmp

Filesize
40KB

Download
memory/2780-190-0x00007FFBC5133000-0x00007FFBC5135000-memory.dmp

Filesize
8KB

Download
memory/2780-7-0x0000000002830000-0x0000000002840000-memory.dmp

Filesize
64KB

Download
memory/2780-202-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-6-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2780-4-0x0000000002800000-0x000000000281C000-memory.dmp

Filesize
112KB

Download
memory/2780-290-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-3-0x00000000026E0000-0x00000000026EE000-memory.dmp

Filesize
56KB

Download
memory/2780-2-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2780-1-0x0000000000320000-0x00000000005D4000-memory.dmp

Filesize
2.7MB

Download