dcrat | 34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Size

1.5MB
MD5

be0ea97c4266a59ca689f4b51a578c20
SHA1

98acacc03b3d3c9706d3c50c98948f0f13529e45
SHA256

34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45
SHA512

03d727b999d1b8a25e284d98a82bb514ffd1ce71d4f73dead5983570461f59c05345608fcfffe9abf3bb8537716bb56aca3b6e774a9040fbf0b99a6199a02505
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\winlogon.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\winlogon.exe\", \"C:\\Windows\\System32\\NlsLexicons0045\\csrss.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\explorer.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\winlogon.exe\", \"C:\\Windows\\System32\\NlsLexicons0045\\csrss.exe\", \"C:\\Windows\\System32\\WMNetMgr\\csrss.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\explorer.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2564	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2564	schtasks.exe	30

UAC bypass 3 TTPs 33 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
580	powershell.exe
1664	powershell.exe
2012	powershell.exe
464	powershell.exe
1016	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Executes dropped EXE 10 IoCs

pid	Process
1008	explorer.exe
2212	explorer.exe
2692	explorer.exe
2800	explorer.exe
1264	explorer.exe
2296	explorer.exe
1520	explorer.exe
2816	explorer.exe
2432	explorer.exe
900	explorer.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\explorer.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\winlogon.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Media Player\\es-ES\\winlogon.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\NlsLexicons0045\\csrss.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\NlsLexicons0045\\csrss.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\WMNetMgr\\csrss.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\WMNetMgr\\csrss.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\explorer.exe\""	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Checks whether UAC is enabled 1 TTPs 22 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WMNetMgr\RCXBB8.tmp	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Windows\System32\WMNetMgr\csrss.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Windows\System32\NlsLexicons0045\csrss.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Windows\System32\NlsLexicons0045\886983d96e3d3e	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Windows\System32\WMNetMgr\csrss.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Windows\System32\WMNetMgr\886983d96e3d3e	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Windows\System32\NlsLexicons0045\RCX947.tmp	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Windows\System32\NlsLexicons0045\csrss.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\7a0fd90576e088	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\winlogon.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\cc11b995f2a76d	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX4D2.tmp	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\RCX6D6.tmp	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\winlogon.exe	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3036	schtasks.exe
1824	schtasks.exe
2944	schtasks.exe
1112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
2012	powershell.exe
1016	powershell.exe
464	powershell.exe
580	powershell.exe
1664	powershell.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe
1008	explorer.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1008	explorer.exe
Token: SeDebugPrivilege	2212	explorer.exe
Token: SeDebugPrivilege	2692	explorer.exe
Token: SeDebugPrivilege	2800	explorer.exe
Token: SeDebugPrivilege	1264	explorer.exe
Token: SeDebugPrivilege	2296	explorer.exe
Token: SeDebugPrivilege	1520	explorer.exe
Token: SeDebugPrivilege	2816	explorer.exe
Token: SeDebugPrivilege	2432	explorer.exe
Token: SeDebugPrivilege	900	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 580	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	35
PID 2716 wrote to memory of 580	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	35
PID 2716 wrote to memory of 580	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	35
PID 2716 wrote to memory of 1664	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	36
PID 2716 wrote to memory of 1664	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	36
PID 2716 wrote to memory of 1664	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	36
PID 2716 wrote to memory of 2012	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	37
PID 2716 wrote to memory of 2012	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	37
PID 2716 wrote to memory of 2012	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	37
PID 2716 wrote to memory of 464	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	39
PID 2716 wrote to memory of 464	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	39
PID 2716 wrote to memory of 464	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	39
PID 2716 wrote to memory of 1016	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	40
PID 2716 wrote to memory of 1016	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	40
PID 2716 wrote to memory of 1016	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	40
PID 2716 wrote to memory of 1596	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	43
PID 2716 wrote to memory of 1596	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	43
PID 2716 wrote to memory of 1596	2716	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe	43
PID 1596 wrote to memory of 2268	1596	cmd.exe	47
PID 1596 wrote to memory of 2268	1596	cmd.exe	47
PID 1596 wrote to memory of 2268	1596	cmd.exe	47
PID 1596 wrote to memory of 1008	1596	cmd.exe	48
PID 1596 wrote to memory of 1008	1596	cmd.exe	48
PID 1596 wrote to memory of 1008	1596	cmd.exe	48
PID 1008 wrote to memory of 2384	1008	explorer.exe	49
PID 1008 wrote to memory of 2384	1008	explorer.exe	49
PID 1008 wrote to memory of 2384	1008	explorer.exe	49
PID 1008 wrote to memory of 1468	1008	explorer.exe	50
PID 1008 wrote to memory of 1468	1008	explorer.exe	50
PID 1008 wrote to memory of 1468	1008	explorer.exe	50
PID 2384 wrote to memory of 2212	2384	WScript.exe	51
PID 2384 wrote to memory of 2212	2384	WScript.exe	51
PID 2384 wrote to memory of 2212	2384	WScript.exe	51
PID 2212 wrote to memory of 2036	2212	explorer.exe	52
PID 2212 wrote to memory of 2036	2212	explorer.exe	52
PID 2212 wrote to memory of 2036	2212	explorer.exe	52
PID 2212 wrote to memory of 1744	2212	explorer.exe	53
PID 2212 wrote to memory of 1744	2212	explorer.exe	53
PID 2212 wrote to memory of 1744	2212	explorer.exe	53
PID 2036 wrote to memory of 2692	2036	WScript.exe	54
PID 2036 wrote to memory of 2692	2036	WScript.exe	54
PID 2036 wrote to memory of 2692	2036	WScript.exe	54
PID 2692 wrote to memory of 2224	2692	explorer.exe	55
PID 2692 wrote to memory of 2224	2692	explorer.exe	55
PID 2692 wrote to memory of 2224	2692	explorer.exe	55
PID 2692 wrote to memory of 2980	2692	explorer.exe	56
PID 2692 wrote to memory of 2980	2692	explorer.exe	56
PID 2692 wrote to memory of 2980	2692	explorer.exe	56
PID 2224 wrote to memory of 2800	2224	WScript.exe	57
PID 2224 wrote to memory of 2800	2224	WScript.exe	57
PID 2224 wrote to memory of 2800	2224	WScript.exe	57
PID 2800 wrote to memory of 2852	2800	explorer.exe	58
PID 2800 wrote to memory of 2852	2800	explorer.exe	58
PID 2800 wrote to memory of 2852	2800	explorer.exe	58
PID 2800 wrote to memory of 2732	2800	explorer.exe	59
PID 2800 wrote to memory of 2732	2800	explorer.exe	59
PID 2800 wrote to memory of 2732	2800	explorer.exe	59
PID 2852 wrote to memory of 1264	2852	WScript.exe	60
PID 2852 wrote to memory of 1264	2852	WScript.exe	60
PID 2852 wrote to memory of 1264	2852	WScript.exe	60
PID 1264 wrote to memory of 1404	1264	explorer.exe	61
PID 1264 wrote to memory of 1404	1264	explorer.exe	61
PID 1264 wrote to memory of 1404	1264	explorer.exe	61
PID 1264 wrote to memory of 1664	1264	explorer.exe	62

System policy modification 1 TTPs 33 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe
"C:\Users\Admin\AppData\Local\Temp\34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\NlsLexicons0045\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WMNetMgr\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ePwMdLNzXN.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2268
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1008
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\659b21e4-b1b3-4e05-8d4d-bb3f5e1451af.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2212
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da7cb0fc-d74f-4d7a-86e3-613185e0cf1e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9712d74-d910-4665-b5ef-1e7d37e85999.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\564ee2bd-57eb-4062-8093-e56c7c6c021e.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8768855c-0cce-4650-9c3d-4902b52e9536.vbs"
        12⤵
        
        PID:1404
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e5f6290-03f9-44c1-8ac3-6e5160d477ea.vbs"
        14⤵
        
        PID:1444
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d53039d6-33c9-4693-a2e1-a85c5f0ca4dd.vbs"
        16⤵
        
        PID:2756
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be6ce88f-1e3c-4e4f-9943-bb65a1691c8a.vbs"
        18⤵
        
        PID:1892
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21e6f2d8-7ffd-491d-b1bb-271eadd28f88.vbs"
        20⤵
        
        PID:2012
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c57f3b23-ccd1-4273-91e9-7e38844b62a1.vbs"
        22⤵
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aab09b85-8255-4526-bc59-d51b7e0e0c4c.vbs"
        22⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c69d9032-c55a-4180-9a3f-9b8cce778876.vbs"
        20⤵
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2fbbb7f-2fbc-474e-ba87-6687db3a2cb5.vbs"
        18⤵
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bf4e6dc-cf0f-42ea-a368-2604c259f6ff.vbs"
        16⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca808dc9-6ba3-4f48-aa45-f52a17e674bf.vbs"
        14⤵
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fd9e379-3cb7-470e-b145-46818b82b360.vbs"
        12⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b18614c-ae0f-42b1-ba4a-325649a95ca3.vbs"
        10⤵
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a5b204e-fc7f-4d71-8668-61f8f7dbd7a5.vbs"
        8⤵
        
        PID:2980
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f90d97b-e559-4b2c-a01b-856a0b68d9eb.vbs"
        6⤵
        
        PID:1744
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b75de01b-cbc2-41a3-ac42-eea679cc6cea.vbs"
      4⤵
      PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0045\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\WMNetMgr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe

Filesize
1.5MB

MD5
be0ea97c4266a59ca689f4b51a578c20

SHA1
98acacc03b3d3c9706d3c50c98948f0f13529e45

SHA256
34ecde5e5f444747e8e4ea4c616b17f5f035687a3015b2f824f2bc31aa924d45

SHA512
03d727b999d1b8a25e284d98a82bb514ffd1ce71d4f73dead5983570461f59c05345608fcfffe9abf3bb8537716bb56aca3b6e774a9040fbf0b99a6199a02505

Download Submit
C:\Users\Admin\AppData\Local\Temp\21e6f2d8-7ffd-491d-b1bb-271eadd28f88.vbs

Filesize
746B

MD5
24e057bbdbd7a347c30f4bf6b55d9f0a

SHA1
69f0606cdb2268e899f965d58d63891e21ba9144

SHA256
e289cc0a46dbcf49acd08455e97cc14663460ea9122a846d2b5eba6ea983023f

SHA512
446474c1d76d21845fcc4bc1fe5814958b0c7e7a013bb12e781ce029eaa46c5aaccee10efec6756b833ba57441bc8cadbfef7feba6c02b9754fdd62d6e652bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\564ee2bd-57eb-4062-8093-e56c7c6c021e.vbs

Filesize
746B

MD5
e1c9f5c15dc91ddc2dfae21aaf414d66

SHA1
451a4dde726e90a946886078be1fcf89fce41814

SHA256
725757b5401e70cf55b8d44183267dba92daae65654f4c4eb5e8cbaa204a9586

SHA512
dcf1e5fda6b494fb001175dfa908941fa789744c1acba9a83667d3aa89d1c550a67c47e8c2d8fd09a174ec994d57f1edb3f6c944039f6006eda36f46ae5be91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\659b21e4-b1b3-4e05-8d4d-bb3f5e1451af.vbs

Filesize
746B

MD5
557b97064937bf9c90069e6fdfd8eaa9

SHA1
c9812f1b703e6b696c08d55ef4d344babb99af04

SHA256
4c50019fec901015809bbed946e5221afc8729ca4f1121c32ba3b1adc157c22e

SHA512
d5b6d1ec7be7ca3944ea2cee505689fb3d12b6be22beee716a2acec3eefb9ab48b35172b42214165592f932b416010130edf64e6a12e1da535f22b56059233f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e5f6290-03f9-44c1-8ac3-6e5160d477ea.vbs

Filesize
746B

MD5
e7255d2612bf6d33973042a5f232dd24

SHA1
b2774ef0f18472201122922062329f265cd99bee

SHA256
265e493787243052f0c10f699830a10a61fee57c027b85c080324bb861f8fd73

SHA512
ee66ef0061d8fccae59410cd16470f99351f0c2f9851b15cdb3478ab35a3ef891cac9f2bb23e43ce7be8efc16186903c32c7a127823392d4f710a2919645d25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8768855c-0cce-4650-9c3d-4902b52e9536.vbs

Filesize
746B

MD5
169740c5a8bbf94520aaf735ac4430e5

SHA1
a7086a9a08f0175db7046c47d0f3c14e18de0620

SHA256
b9da7ef806630e66ec0a0e02de4ee65eb5459e0185c87340ee69dc17d1dc6011

SHA512
33285a1fb68aab6cb8c5c3d581b2fb8bc8e94b2227253362020f4ec14874a468c96d1b51c61963e147902dd0736e5495cf985846fd75c3e5fee43b95e138ac74

Download Submit
C:\Users\Admin\AppData\Local\Temp\b75de01b-cbc2-41a3-ac42-eea679cc6cea.vbs

Filesize
522B

MD5
bbc2b54079b6ebfd8cbd09a596705c63

SHA1
536c121e0a14621ab33d1c8f767163443382b0ad

SHA256
70cb984b8785684c2cac37759e85cb294b20bbb6638f228f28a848cf269a6b8f

SHA512
8ade75a12045611c08e59fb793c63654b1747a0115c68e746384df1f2514f2e1b714d2d3c9916266d5e3194935062002056053ae5481977fb0a6bfcf05805617

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9712d74-d910-4665-b5ef-1e7d37e85999.vbs

Filesize
746B

MD5
c78c636a23f083ea04d09635591c15ab

SHA1
170aed7e4cf8b0e83a288ce5cbcb6fd7f0e99e81

SHA256
fecde4231c6bd5736521df525017e6e558286d8dabb5420516f3e4cb52757afa

SHA512
e3b4991b576ae9daa139df318945b09b2963b77806174227e9fdd36b4eb142a36b42a9bd1531584a80f87d7545ea8675e3b7306ef1871c88d3876b06a6b01b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\be6ce88f-1e3c-4e4f-9943-bb65a1691c8a.vbs

Filesize
746B

MD5
be2348fb66ce53c86805cccee0b2a83c

SHA1
7cd157040038f7744e3e8ff6edc3c250cc25cbe3

SHA256
7da23ea0abf78c841ffd37018087e3cfedd05ac6a6354b5ff910191b7858ba60

SHA512
6c51ec968c747b2c26542ed24b2bb3b5a5211b146b152fd586a5a83d1c0e901e9f0bbd12ce4127c5966ce54d5877d1b3270fc756eeb3aebfa2168dbb32c63ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c57f3b23-ccd1-4273-91e9-7e38844b62a1.vbs

Filesize
745B

MD5
038d7ddec0c549ebb4bd91f3882f7786

SHA1
b4c52f29d7c6b928698fc79e3a1c5063e01bfbb1

SHA256
44631ad809216511fcca917826bff3f1a01622b65479e2f504f00cc1af73bcea

SHA512
32b4bdc6e5039c1e48c9d2a74ce791c3f8ea551ce60cf047c261d12735b30d9f52f65c8d102e7b676b7989dbdd0faf47577eacffad89adb755560dc6d9ed585d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d53039d6-33c9-4693-a2e1-a85c5f0ca4dd.vbs

Filesize
746B

MD5
1f5820a872edfbf7d7ffb2aa6e4c0a79

SHA1
a71afee93eed71d8052a475da004a05039804650

SHA256
b548de51f16d95c22c6cbf3f21b1a9084558069b741b012195170f0c3bb5d9d6

SHA512
1677bc1ac43ecbca541300e3bf381edc5c60401f5cb0170340114a4cc047d533fa9de3360115a9fe9c2891b3f974ec42b0ff200d63707fa0e7f9d580c9016a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\da7cb0fc-d74f-4d7a-86e3-613185e0cf1e.vbs

Filesize
746B

MD5
8b04663893b3a40334d996d785749e99

SHA1
353d80c63a1dd524e9f3312f23b58ab05d5131b7

SHA256
1467f20da4f662bf995f4144ff133e878330182391a0ad8ac1e8380e37f8c72e

SHA512
2b68ed6829bdf12fef9faa9cd4d2af75fb08d92595306574e8b0035cb8d285ad413202e80d453798c84c0e2d75ea57fa1ec3343d4cbbae37a6497b56050fba56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePwMdLNzXN.bat

Filesize
234B

MD5
760171c86f178422558659588e46685a

SHA1
fee8be68c7df2feea001bfc57743c8af75fb4083

SHA256
6b92bf99e48b5fa646a931020f3d2aa860cc3adb8c5c20dbace3a0a1e6e238bb

SHA512
5f397a700f2829edb676a361cce204c89b69dbd7350961e57b2aa048159b7d25f262c085e9844581cb71a2727794ba7235dcac9bf85cdf8fec5cc6d14738035f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f5588cae15dc022912a3f189271efbf5

SHA1
5715dd0b0a58f45daaf232a90f7617dd590febfb

SHA256
496b87e8a5f22f3a746b8d8e7cd3b2de04ab5545987b4de86018215ad6560e31

SHA512
8a81b671e32fa85b65ac17aa7cc87bdeed57cace7f474ffde612cb25c353265aebff3a359d11da55f1722f35bdf5de00346323e30108ac5214cba8f912a9d3d3

Download Submit
memory/1008-96-0x0000000000340000-0x00000000004BE000-memory.dmp

Filesize
1.5MB

Download
memory/1264-143-0x00000000002B0000-0x000000000042E000-memory.dmp

Filesize
1.5MB

Download
memory/1520-167-0x00000000002E0000-0x000000000045E000-memory.dmp

Filesize
1.5MB

Download
memory/1520-168-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2012-75-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2012-77-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2212-107-0x00000000013B0000-0x000000000152E000-memory.dmp

Filesize
1.5MB

Download
memory/2296-155-0x00000000000A0000-0x000000000021E000-memory.dmp

Filesize
1.5MB

Download
memory/2432-193-0x0000000001270000-0x00000000013EE000-memory.dmp

Filesize
1.5MB

Download
memory/2692-119-0x0000000000190000-0x000000000030E000-memory.dmp

Filesize
1.5MB

Download
memory/2716-11-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/2716-10-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/2716-76-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-17-0x00000000022D0000-0x00000000022DC000-memory.dmp

Filesize
48KB

Download
memory/2716-16-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2716-15-0x0000000002230000-0x000000000223A000-memory.dmp

Filesize
40KB

Download
memory/2716-12-0x00000000020A0000-0x00000000020A8000-memory.dmp

Filesize
32KB

Download
memory/2716-13-0x00000000020B0000-0x00000000020BA000-memory.dmp

Filesize
40KB

Download
memory/2716-47-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-14-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/2716-18-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2716-20-0x00000000022F0000-0x00000000022FC000-memory.dmp

Filesize
48KB

Download
memory/2716-1-0x0000000000880000-0x00000000009FE000-memory.dmp

Filesize
1.5MB

Download
memory/2716-0-0x000007FEF66F3000-0x000007FEF66F4000-memory.dmp

Filesize
4KB

Download
memory/2716-9-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/2716-8-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/2716-24-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-7-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/2716-6-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2716-5-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/2716-4-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2716-2-0x000007FEF66F0000-0x000007FEF70DC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-21-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/2716-3-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2800-131-0x0000000000F10000-0x000000000108E000-memory.dmp

Filesize
1.5MB

Download
memory/2816-181-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2816-180-0x0000000000A10000-0x0000000000B8E000-memory.dmp

Filesize
1.5MB

Download