dcrat | 1605702f0909585b220918e1cbd6b236f5c47714a978990c7d5b43504b90163d

Analysis

max time kernel
146s
max time network
143s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lithium external.zip
Size

2.5MB
MD5

5abaa60461ee4c19647911a8d9a0006a
SHA1

76cc97f0581d174087f96f058d898b42e8c566a2
SHA256

1605702f0909585b220918e1cbd6b236f5c47714a978990c7d5b43504b90163d
SHA512

93f3d6b3849a2d9c5b81e9fd96cc60d065e5916ff470e974f2b9b5f49462f25ea18b1f4f32c1fe4f3a3c05eb214e1d5e0f6f25f443a5bb3d338eed2471c0f4f3
SSDEEP

49152:aBIg2+HpqXdLYyrF7SUZSiwaJXA78bixRz4S87jaeg7hRFIz39O:o0NLLFSaJsxR4So+eg7hczA

Score

10^/10

dcrat defense_evasion discovery infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1700	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1700	schtasks.exe	33

UAC bypass 3 TTPs 36 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	PortDll.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x001a000000016dc9-4.dat	dcrat
behavioral1/files/0x0008000000017530-20.dat	dcrat
behavioral1/memory/3032-24-0x0000000000CE0000-0x0000000000F96000-memory.dmp	dcrat
behavioral1/memory/872-72-0x0000000000800000-0x0000000000AB6000-memory.dmp	dcrat
behavioral1/memory/2416-83-0x0000000001050000-0x0000000001306000-memory.dmp	dcrat
behavioral1/memory/2544-106-0x0000000001110000-0x00000000013C6000-memory.dmp	dcrat
behavioral1/memory/1696-130-0x0000000001130000-0x00000000013E6000-memory.dmp	dcrat
behavioral1/memory/2800-154-0x0000000001380000-0x0000000001636000-memory.dmp	dcrat
behavioral1/memory/2216-178-0x0000000000300000-0x00000000005B6000-memory.dmp	dcrat
behavioral1/memory/2772-191-0x00000000000B0000-0x0000000000366000-memory.dmp	dcrat

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 13 IoCs

pid	Process
2216	Rust External.exe
3032	PortDll.exe
872	services.exe
2416	services.exe
1984	services.exe
2544	services.exe
2700	services.exe
1696	services.exe
2876	services.exe
2800	services.exe
948	services.exe
2216	services.exe
2772	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2596	cmd.exe
2596	cmd.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PortDll.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	PortDll.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Offline\lsm.exe	PortDll.exe
File created	C:\Program Files (x86)\Google\Update\Offline\101b941d020240	PortDll.exe
File created	C:\Program Files (x86)\Google\CrashReports\cmd.exe	PortDll.exe
File created	C:\Program Files (x86)\Google\CrashReports\ebf1f9fa8afd6d	PortDll.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe	PortDll.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\886983d96e3d3e	PortDll.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\6ccacd8608530f	PortDll.exe
File created	C:\Windows\Boot\PortDll.exe	PortDll.exe
File created	C:\Windows\Performance\WinSAT\DataStore\conhost.exe	PortDll.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\conhost.exe	PortDll.exe
File created	C:\Windows\Performance\WinSAT\DataStore\088424020bedd6	PortDll.exe
File created	C:\Windows\LiveKernelReports\Idle.exe	PortDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rust External.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
924	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1532	schtasks.exe
2944	schtasks.exe
2188	schtasks.exe
2280	schtasks.exe
1152	schtasks.exe
2304	schtasks.exe
2128	schtasks.exe
2484	schtasks.exe
1108	schtasks.exe
2576	schtasks.exe
2808	schtasks.exe
1876	schtasks.exe
1800	schtasks.exe
760	schtasks.exe
2676	schtasks.exe
2224	schtasks.exe
2488	schtasks.exe
1344	schtasks.exe
2792	schtasks.exe
316	schtasks.exe
1836	schtasks.exe
1016	schtasks.exe
768	schtasks.exe
2520	schtasks.exe
1884	schtasks.exe
2820	schtasks.exe
1796	schtasks.exe
2396	schtasks.exe
2768	schtasks.exe
2008	schtasks.exe
2144	schtasks.exe
1704	schtasks.exe
3040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1148	7zFM.exe
1148	7zFM.exe
3032	PortDll.exe
1148	7zFM.exe
872	services.exe
2416	services.exe
1984	services.exe
2544	services.exe
2700	services.exe
1696	services.exe
2876	services.exe
2800	services.exe
948	services.exe
2216	services.exe
2772	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1148	7zFM.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	1148	7zFM.exe
Token: 35	1148	7zFM.exe
Token: SeSecurityPrivilege	1148	7zFM.exe
Token: SeDebugPrivilege	3032	PortDll.exe
Token: SeDebugPrivilege	872	services.exe
Token: SeDebugPrivilege	2416	services.exe
Token: SeDebugPrivilege	1984	services.exe
Token: SeDebugPrivilege	2544	services.exe
Token: SeDebugPrivilege	2700	services.exe
Token: SeDebugPrivilege	1696	services.exe
Token: SeDebugPrivilege	2876	services.exe
Token: SeDebugPrivilege	2800	services.exe
Token: SeDebugPrivilege	948	services.exe
Token: SeDebugPrivilege	2216	services.exe
Token: SeDebugPrivilege	2772	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1148	7zFM.exe
1148	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2216	1148	7zFM.exe	28
PID 1148 wrote to memory of 2216	1148	7zFM.exe	28
PID 1148 wrote to memory of 2216	1148	7zFM.exe	28
PID 1148 wrote to memory of 2216	1148	7zFM.exe	28
PID 2216 wrote to memory of 3004	2216	Rust External.exe	29
PID 2216 wrote to memory of 3004	2216	Rust External.exe	29
PID 2216 wrote to memory of 3004	2216	Rust External.exe	29
PID 2216 wrote to memory of 3004	2216	Rust External.exe	29
PID 3004 wrote to memory of 2596	3004	WScript.exe	30
PID 3004 wrote to memory of 2596	3004	WScript.exe	30
PID 3004 wrote to memory of 2596	3004	WScript.exe	30
PID 3004 wrote to memory of 2596	3004	WScript.exe	30
PID 2596 wrote to memory of 3032	2596	cmd.exe	32
PID 2596 wrote to memory of 3032	2596	cmd.exe	32
PID 2596 wrote to memory of 3032	2596	cmd.exe	32
PID 2596 wrote to memory of 3032	2596	cmd.exe	32
PID 3032 wrote to memory of 1684	3032	PortDll.exe	67
PID 3032 wrote to memory of 1684	3032	PortDll.exe	67
PID 3032 wrote to memory of 1684	3032	PortDll.exe	67
PID 1684 wrote to memory of 940	1684	cmd.exe	69
PID 1684 wrote to memory of 940	1684	cmd.exe	69
PID 1684 wrote to memory of 940	1684	cmd.exe	69
PID 2596 wrote to memory of 924	2596	cmd.exe	70
PID 2596 wrote to memory of 924	2596	cmd.exe	70
PID 2596 wrote to memory of 924	2596	cmd.exe	70
PID 2596 wrote to memory of 924	2596	cmd.exe	70
PID 1684 wrote to memory of 872	1684	cmd.exe	71
PID 1684 wrote to memory of 872	1684	cmd.exe	71
PID 1684 wrote to memory of 872	1684	cmd.exe	71
PID 872 wrote to memory of 1320	872	services.exe	72
PID 872 wrote to memory of 1320	872	services.exe	72
PID 872 wrote to memory of 1320	872	services.exe	72
PID 872 wrote to memory of 1608	872	services.exe	73
PID 872 wrote to memory of 1608	872	services.exe	73
PID 872 wrote to memory of 1608	872	services.exe	73
PID 1320 wrote to memory of 2416	1320	WScript.exe	74
PID 1320 wrote to memory of 2416	1320	WScript.exe	74
PID 1320 wrote to memory of 2416	1320	WScript.exe	74
PID 2416 wrote to memory of 2512	2416	services.exe	75
PID 2416 wrote to memory of 2512	2416	services.exe	75
PID 2416 wrote to memory of 2512	2416	services.exe	75
PID 2416 wrote to memory of 2744	2416	services.exe	76
PID 2416 wrote to memory of 2744	2416	services.exe	76
PID 2416 wrote to memory of 2744	2416	services.exe	76
PID 2512 wrote to memory of 1984	2512	WScript.exe	77
PID 2512 wrote to memory of 1984	2512	WScript.exe	77
PID 2512 wrote to memory of 1984	2512	WScript.exe	77
PID 1984 wrote to memory of 2568	1984	services.exe	78
PID 1984 wrote to memory of 2568	1984	services.exe	78
PID 1984 wrote to memory of 2568	1984	services.exe	78
PID 1984 wrote to memory of 1768	1984	services.exe	79
PID 1984 wrote to memory of 1768	1984	services.exe	79
PID 1984 wrote to memory of 1768	1984	services.exe	79
PID 2568 wrote to memory of 2544	2568	WScript.exe	80
PID 2568 wrote to memory of 2544	2568	WScript.exe	80
PID 2568 wrote to memory of 2544	2568	WScript.exe	80
PID 2544 wrote to memory of 2196	2544	services.exe	81
PID 2544 wrote to memory of 2196	2544	services.exe	81
PID 2544 wrote to memory of 2196	2544	services.exe	81
PID 2544 wrote to memory of 2764	2544	services.exe	82
PID 2544 wrote to memory of 2764	2544	services.exe	82
PID 2544 wrote to memory of 2764	2544	services.exe	82
PID 2196 wrote to memory of 2700	2196	WScript.exe	83
PID 2196 wrote to memory of 2700	2196	WScript.exe	83

System policy modification 1 TTPs 36 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	PortDll.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lithium external.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\7zOC74B5BC7\Rust External.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC74B5BC7\Rust External.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Agentcomponentdriver\cF2nsYK.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Agentcomponentdriver\gyWUCXXRJzCMxdWE9QlvhicilMz.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Agentcomponentdriver\PortDll.exe
        
        "C:\Agentcomponentdriver\PortDll.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3032
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TkwDf5ccP3.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:940
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\316f9672-6160-48c8-b684-6092aa952a08.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\161d01f4-0a19-4b15-a96a-0196bfbd4412.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6981901-d860-45ca-9575-a5394648547d.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3071df2-1a32-473a-a363-162a211c4230.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f6c47d8-ee80-4051-9166-8d9b07a542fa.vbs"
        16⤵
        
        PID:1344
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42a41586-c750-4ab2-919c-989414805e7f.vbs"
        18⤵
        
        PID:1164
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96e94134-693d-4eb9-9598-01d36fe3ca44.vbs"
        20⤵
        
        PID:2648
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ae1c1ae-c280-453a-adc2-8930653e20db.vbs"
        22⤵
        
        PID:468
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09418815-66e4-4046-acb5-640b42c75efc.vbs"
        24⤵
        
        PID:3032
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        25⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2257cb52-fa75-4298-b850-255b7d91036d.vbs"
        26⤵
        
        PID:2080
        
        C:\Users\All Users\Adobe\Acrobat\9.0\services.exe
        
        "C:\Users\All Users\Adobe\Acrobat\9.0\services.exe"
        27⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbebb884-ccbe-4299-b18f-9813875cb01f.vbs"
        28⤵
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee58e3c-44f9-4b92-9769-bbc7f6de08cc.vbs"
        28⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3994348e-c480-4432-b757-6d9383de0d30.vbs"
        26⤵
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2a1c610-f949-48f2-a07c-c7fd61844f85.vbs"
        24⤵
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\155f28e0-c652-4254-b296-c7e01786d951.vbs"
        22⤵
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87a4a892-a815-4e79-9a43-99bced6c530d.vbs"
        20⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3d54466-ff40-457e-b793-2947a7297ac9.vbs"
        18⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d4f5860-c8a2-4659-993b-7a4d0c572d12.vbs"
        16⤵
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\507a343d-e239-4f72-b015-048c1ed5b849.vbs"
        14⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\776509e7-eab3-4f7a-a3c4-4fde1d0a9d67.vbs"
        12⤵
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26f1533e-e94c-45e9-86cb-fde48a17dafd.vbs"
        10⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be3d7d20-62d0-4e9d-ab1a-7a7e76a17a60.vbs"
        8⤵
        
        PID:1608
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Agentcomponentdriver\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Agentcomponentdriver\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Agentcomponentdriver\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Offline\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\Offline\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Agentcomponentdriver\cF2nsYK.vbe

Filesize
224B

MD5
58f14b1ab2fe69675f2092835a963260

SHA1
3a5c88e3f551cdfb6d7053f374f475f65250a342

SHA256
d3aba5d7c01e3f8de8969d52e11aeab5777abf679cf305a3e78bf42f42515283

SHA512
82f3bbb05f13fd062d81862a30f203bc4ca6bcd643a85e3a393bfe5ae77e602fcb2daa0004a29c757c38cbb4c0807316c933f9e0802dba2701363e92566597da

Download Submit
C:\Agentcomponentdriver\gyWUCXXRJzCMxdWE9QlvhicilMz.bat

Filesize
149B

MD5
61f83fd24fdcd1acc1b20155cf97dcd8

SHA1
e21ecbd09f4c98a591f15f6e64cba7b65fd165f5

SHA256
1725ca5841f1f224c9d9e335530e1c805fa838f873e8316db7ff8cc4ffd76120

SHA512
8e1851ce4ab75fbd7286192026904f965f9952fbc0fa9dd3ddc3cd06f1907231d2e977c63a534de618f497d22e1e960bb9edada8c46409ef25e151da6045c6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\09418815-66e4-4046-acb5-640b42c75efc.vbs

Filesize
724B

MD5
6c8dadffc376028761b86bfe2ed4f2dd

SHA1
71f7670e3ac37e1571bb8ba1706864599e072ff9

SHA256
9d7dfadeb5158f295fade0716dca8a63a22fd0c2c0f9338a53e71125673ae78c

SHA512
fda6246364fe0a971872006fec9639eb60359cae014aaf2fcf60a52f657a538f6f1671638369fb0ed2d84c6b1fd743e54e412671c32565cabd51d6a2b2f1a62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\161d01f4-0a19-4b15-a96a-0196bfbd4412.vbs

Filesize
725B

MD5
bf303546b38eaa78b94bdccc8353f758

SHA1
baf2e94edbaab89f063eb6a6789179647c559958

SHA256
2fd8ad95a4f13e2e17194267051be4f98b4af82b0429079fe971389760f53b9b

SHA512
08ac306d8f9bab953132f5ddb1c6dbdde35d07c3a782409ceac522b8c7ef1169f19f7c29fa22ee91f64c5ccbe2ab85d4a2cf9152ab11a886097d30f6e65d559c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2257cb52-fa75-4298-b850-255b7d91036d.vbs

Filesize
725B

MD5
fc0c0fd455eaf19cd2647cb950afdf47

SHA1
2d589e879e0cc64c82f7d8d16b1f80cfaa6f165b

SHA256
3907fd074e84a6a994609d2d73bd77b95832ace4c1903118a8a9dac02b32632a

SHA512
b02150074a263c6cf76cae2016cdfcd11822858bc3d1b6ec7a66c49ee0271dfd46b80ab32584f19a117245aed2e0173ab26ace6bbdbf7d82ca144ab95a3c3f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\316f9672-6160-48c8-b684-6092aa952a08.vbs

Filesize
724B

MD5
5e9862bdb601a5b122e431729d796bf7

SHA1
d43820dcfd50a9f67e60bd1747bdd8407304534e

SHA256
59613150ed74d7603d8d0aad9500b80e2edb8fe9a29b7fb3dd36b6dea5bd0fbe

SHA512
6e2fd4ce131bbac5939a8a5a0a99f3b2c5d537989df0ece868a8e76d0b44d44df6ee6408a31eafbc281a09ac55700ad7fdeb21a15e1a61621780b81646336e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\42a41586-c750-4ab2-919c-989414805e7f.vbs

Filesize
725B

MD5
92f0ad3823aea3628d47332c912cb481

SHA1
a5aec53112f91a1ff37847f828624f2113833ca2

SHA256
e42bffe3e2629326670ad881e6202dfc4f216e14194a0dbb3082511c5030b3f4

SHA512
63cfe63f4567c00c38e09a9467cddb777768d63c2c9109e959f4da7dd742ecbcee9f758e624cd4a0f38ee4e24869445c8910f06e5a5edb48ffebe5fa67bec7b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f6c47d8-ee80-4051-9166-8d9b07a542fa.vbs

Filesize
725B

MD5
cd536453ac4b1ac96cf053b7ed7c507c

SHA1
307b9082a73d04bd48943c0826dafb29ffb7df28

SHA256
9bc164d188862143eecbce1b41ee15328e223236e9c4969e378d7d29b305afee

SHA512
c224e7aec6fe5b3cb8f7a172cd18509b24b18e70f9c2fd4d14271e104e5f42ce8f66948ba711d1ab9524051a628ae0bd8235bbfdd13e51d681a058d8c5c7abc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC74B5BC7\Rust External.exe

Filesize
3.0MB

MD5
052d8274e7bd005fabb352b5e5789cd9

SHA1
853421783272ff3bf84999956703f56a9ef6b281

SHA256
656a8bc85180846d696a852121d269f793861c370c1c4c82e9962916c8a5b502

SHA512
c8d0f08dbc22e85bf292905a07ea2d67359ba25c6a601e3d5998ae39a1487df98e070dc0e6a933bf0d33dd41d18a9ae9a75834f3163ec18cf0aa147088eb922d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ae1c1ae-c280-453a-adc2-8930653e20db.vbs

Filesize
725B

MD5
5cfc81dbe1ef22323503ccb3909262e7

SHA1
48606cf2c9a5816912a64d8c6caadc1e22828525

SHA256
5f722ac0ee345fe69b026b5fe025dfe6a2894191b6ee0676f78d674d34e3cd92

SHA512
67f585058e8d07ee26c9f977e31da4345b177f3859c0f2b25cf45f73b1bdd912104fe1ec459a16354536a2b082c5975f063c481fbd88c774ae5b924839d304db

Download Submit
C:\Users\Admin\AppData\Local\Temp\96e94134-693d-4eb9-9598-01d36fe3ca44.vbs

Filesize
725B

MD5
37c8edaf0cfeeee3d413a1375ec4fa51

SHA1
47a10c28c0b52a3847e80ca304667c55cb9d4a8f

SHA256
8a7cc4d1abc13067a6337b8ec9225b29aeabff60881b1b2b86b23e226fe5a723

SHA512
eece15b40f32e3039badcf233f511e71a578245989a90824a5dec6b013441ec24b53f07a5c8ba492f36a2c9992e1f41a6ea26b4fbd027ee72a6f6f4b9750411a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkwDf5ccP3.bat

Filesize
214B

MD5
43f65a3f37fd7ab780cfc217972164aa

SHA1
83a8472f45bbf0e7ef9488c04b9f19f6db795302

SHA256
ffc82f09990a44c2552a6fda34e49470862ae907a53fc2e1450b5009b44e00c5

SHA512
e906b15909d4dc527a961c2d98ee3080f34012f8c99205a7bea10a58bf32886a281b0984e729291620cd0e89396dfb88616f226e1ddbc299aadaf7114a1260c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\be3d7d20-62d0-4e9d-ab1a-7a7e76a17a60.vbs

Filesize
501B

MD5
838ff82a732015b64bd48007e9d303f2

SHA1
e9d2c0cab6633fa2ad156cee2c9f53f7ab863dc3

SHA256
eb2fb9d51b8d41a333a4900b87217fb2ae19e898df815ec2c8505ca21217bf8e

SHA512
680713c9fa6396b7b30643a313be222948cce25eb94f4d59eb8e263efed3d2c671b4f4f78931c1090bd476b07cbce86b41494584ab80c66bdf3a1de71c182629

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbebb884-ccbe-4299-b18f-9813875cb01f.vbs

Filesize
725B

MD5
7a8f88b14d75af4aa08bb6770fdf5aeb

SHA1
01a36243e8efefeb19c56c2c9faecffcad80fda6

SHA256
4e2fd458ad387d443d4890c85ceb293b9fe5e0189073a1e38e262bbd4be30bb2

SHA512
7bc0c64232b6f325026412b8a588bf6bddbdabe3c2c480ffff35640cdc2ae1e727b796ca663fddc9596702772a955347faab525e81d0617dc8866f99b4ab2690

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6981901-d860-45ca-9575-a5394648547d.vbs

Filesize
725B

MD5
487b381f91cccf7af978154c5bfc69e7

SHA1
6287417cbba3c3257c8443454ea956edb0bc1f95

SHA256
31d6c9b335bc2721bccd5e830e4207a4a5b7653d1870d710895d71b819401877

SHA512
1e7496b6fd896cdc72cf52c46db162e59616dcea02e3d70d1715c950b206f292f7260ccabd36f734c0683d2121717564b81969f33c1ed4861bd15a7fab3f6218

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3071df2-1a32-473a-a363-162a211c4230.vbs

Filesize
725B

MD5
1dc0a4e0c0deb706e472261f09f52853

SHA1
f1f4bd2f9aff5b1f10d5ccac2e65bdd31de224eb

SHA256
a7d1de9d1659ce56c8ee32f5a7245b571c81f40552e76f457d37c4da441cc0df

SHA512
a5eb4910ecc851377a2d97597bd92ab07f6bb1ed1798aa17b70f0f06cf3d8fb3c0c181fcb1bd9b6099defa478aeb8becd793824dcd4c02680a52b1fdbbe0c93c

Download Submit
\Agentcomponentdriver\PortDll.exe

Filesize
2.7MB

MD5
36678031ac136dc944f5b836ff267243

SHA1
5670ecf38e35121e09bcde5c3fc834d96e290752

SHA256
fb7730673d10c85f7496c509e0fef578f30f9ef818e62fd576907b33dc6ce025

SHA512
08d79ea3841c60c6f1cb1d946ecd71812bd19155246f10029afa09d283c098b57e5743d6978675be15638db8a8b68828842dd49c84a970f389a30cb10c161fda

Download Submit
memory/872-72-0x0000000000800000-0x0000000000AB6000-memory.dmp

Filesize
2.7MB

Download
memory/948-166-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1696-131-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1696-130-0x0000000001130000-0x00000000013E6000-memory.dmp

Filesize
2.7MB

Download
memory/2216-178-0x0000000000300000-0x00000000005B6000-memory.dmp

Filesize
2.7MB

Download
memory/2216-179-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/2416-83-0x0000000001050000-0x0000000001306000-memory.dmp

Filesize
2.7MB

Download
memory/2544-106-0x0000000001110000-0x00000000013C6000-memory.dmp

Filesize
2.7MB

Download
memory/2772-191-0x00000000000B0000-0x0000000000366000-memory.dmp

Filesize
2.7MB

Download
memory/2800-154-0x0000000001380000-0x0000000001636000-memory.dmp

Filesize
2.7MB

Download
memory/3032-31-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/3032-42-0x000000001A9D0000-0x000000001A9DC000-memory.dmp

Filesize
48KB

Download
memory/3032-41-0x0000000002540000-0x000000000254A000-memory.dmp

Filesize
40KB

Download
memory/3032-40-0x0000000002530000-0x0000000002538000-memory.dmp

Filesize
32KB

Download
memory/3032-39-0x0000000002500000-0x000000000250E000-memory.dmp

Filesize
56KB

Download
memory/3032-38-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/3032-37-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/3032-36-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/3032-35-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/3032-34-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/3032-33-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/3032-32-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/3032-30-0x00000000024B0000-0x0000000002506000-memory.dmp

Filesize
344KB

Download
memory/3032-29-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/3032-28-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/3032-27-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/3032-26-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/3032-25-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/3032-24-0x0000000000CE0000-0x0000000000F96000-memory.dmp

Filesize
2.7MB

Download