dcrat | 534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
Size

2.7MB
MD5

3dce7fce69c35c15988ad7bc647d4681
SHA1

bf0b951d922c6e92e40cec56f641a0c48da49b57
SHA256

534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb
SHA512

99e11b00a61b901a0954dbdd6c1b533c2898662584ea296fd1a92b790ffe10690cf2acba4b595e9d517fc3088ec03450c1d1ee1ce9ae8cfe1a15f24ae14ad33e
SSDEEP

49152:Ano0OKQIQaPECv3la9Bc0JpOkFl5B9LzYSbqtR6v:hMvlyG0JpOG50SbOg

Score

10^/10

dcrat defense_evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	4476	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	4476	schtasks.exe	82

UAC bypass 3 TTPs 6 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1520-1-0x0000000000080000-0x0000000000334000-memory.dmp	dcrat
behavioral2/files/0x0008000000023bfb-30.dat	dcrat
behavioral2/files/0x000f000000023c7e-107.dat	dcrat
behavioral2/files/0x000f000000023bc9-165.dat	dcrat
behavioral2/files/0x000300000001e75a-176.dat	dcrat
behavioral2/files/0x0009000000023c64-222.dat	dcrat
behavioral2/files/0x0009000000023c67-233.dat	dcrat
behavioral2/files/0x0008000000023c81-244.dat	dcrat
behavioral2/files/0x0009000000023c70-255.dat	dcrat
behavioral2/files/0x0009000000023c73-264.dat	dcrat
behavioral2/files/0x0009000000023c76-277.dat	dcrat
behavioral2/memory/968-343-0x0000000000740000-0x00000000009F4000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe

Executes dropped EXE 1 IoCs

pid	Process
968	sysmon.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\Java\winlogon.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXBFCD.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXD889.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files\Microsoft Office\69ddcba757bf72	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXC8FB.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXD588.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files\Microsoft Office\root\loc\886983d96e3d3e	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files (x86)\Google\ea9f0e6c9e2dcd	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files\Java\RCXC463.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXC67A.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXC8FC.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Google\taskhostw.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files (x86)\Google\taskhostw.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXC679.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\RCXD306.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\csrss.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXD80B.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files\Microsoft Office\root\loc\csrss.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Google\RCXE030.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\ea1d8f6d871115	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files\Microsoft Office\smss.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files\Java\cc11b995f2a76d	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXD589.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\RCXD307.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\6203df4a6bafc7	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\c5b4cb5e9653cc	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXBFBC.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files\Java\RCXC464.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files\Java\winlogon.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files\Microsoft Office\smss.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Program Files (x86)\Google\RCXDFB2.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\LanguageOverlayCache\TextInputHost.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Windows\ServiceState\EventLog\Data\services.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Windows\uk-UA\RCXBAB7.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Windows\uk-UA\RCXBB15.tmp	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Windows\uk-UA\SearchApp.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File opened for modification	C:\Windows\uk-UA\SearchApp.exe	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
File created	C:\Windows\uk-UA\38384e6a620884	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1336	schtasks.exe
3420	schtasks.exe
4136	schtasks.exe
3628	schtasks.exe
2388	schtasks.exe
4900	schtasks.exe
4920	schtasks.exe
2004	schtasks.exe
4272	schtasks.exe
2924	schtasks.exe
3404	schtasks.exe
2080	schtasks.exe
864	schtasks.exe
3500	schtasks.exe
2368	schtasks.exe
1824	schtasks.exe
452	schtasks.exe
968	schtasks.exe
1776	schtasks.exe
1304	schtasks.exe
2028	schtasks.exe
1020	schtasks.exe
2972	schtasks.exe
3736	schtasks.exe
3152	schtasks.exe
3408	schtasks.exe
448	schtasks.exe
1592	schtasks.exe
2648	schtasks.exe
3824	schtasks.exe
2708	schtasks.exe
2372	schtasks.exe
816	schtasks.exe
4608	schtasks.exe
4408	schtasks.exe
4796	schtasks.exe
1604	schtasks.exe
1068	schtasks.exe
2324	schtasks.exe
1504	schtasks.exe
2764	schtasks.exe
1128	schtasks.exe
4356	schtasks.exe
4068	schtasks.exe
5056	schtasks.exe
440	schtasks.exe
3976	schtasks.exe
3624	schtasks.exe
2932	schtasks.exe
1080	schtasks.exe
696	schtasks.exe
1016	schtasks.exe
4040	schtasks.exe
4996	schtasks.exe
1056	schtasks.exe
2876	schtasks.exe
5044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
968	sysmon.exe
968	sysmon.exe
968	sysmon.exe
968	sysmon.exe
968	sysmon.exe
968	sysmon.exe
968	sysmon.exe
968	sysmon.exe
968	sysmon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
968	sysmon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
Token: SeDebugPrivilege	968	sysmon.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 968	1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe	144
PID 1520 wrote to memory of 968	1520	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe	144

System policy modification 1 TTPs 6 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	sysmon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe
"C:\Users\Admin\AppData\Local\Temp\534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1520
- C:\Users\Default User\sysmon.exe
  "C:\Users\Default User\sysmon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\uk-UA\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\uk-UA\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\uk-UA\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\My Documents\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\loc\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\loc\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\root\loc\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\taskhostw.exe

Filesize
2.7MB

MD5
150cef9a10f1adc138dacee74f627579

SHA1
3d0391ef13b3e10e5db519151602b20c2adb405d

SHA256
73880c1b8aaa67ff2b88efa75b9cef1df27b49d88b1eeacb73a5adb7a603e994

SHA512
a8441ced75f829f21eac543d97af55dc0e9bc845e85663f0c1e355d637bbbe86d113f82b2e5c39111bbf9abc501529ebffff995cbe45d8ec0442fc6338113fa0

Download Submit
C:\Program Files\Java\winlogon.exe

Filesize
2.7MB

MD5
3dce7fce69c35c15988ad7bc647d4681

SHA1
bf0b951d922c6e92e40cec56f641a0c48da49b57

SHA256
534190cdacfd4dd6d00505481ff5051320f6168e3740dafbc132a5003146c3bb

SHA512
99e11b00a61b901a0954dbdd6c1b533c2898662584ea296fd1a92b790ffe10690cf2acba4b595e9d517fc3088ec03450c1d1ee1ce9ae8cfe1a15f24ae14ad33e

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
2.7MB

MD5
48649708bb551f283a609b42d412e54d

SHA1
a95bd6fc0c2410e0ad65821be57c2f410b02fb80

SHA256
55524ca6696994854c292adaa2767d7d49d1cc05e23a3403992c9b887e5736a7

SHA512
837af7a1c34f694672f30ea694ffddd694f3e22c9ba2a36bf21021bff5361c4fa95a8c3f53c09b786f23d3c6e475141bfb6b36d511d1a15cf2c948e49db80a88

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
2.7MB

MD5
82d29a6b15f18678ba9c4d6afb85c9dc

SHA1
65dd57a76a841627f9c77f43defda6b7af48d68a

SHA256
62c9196505c9225791b64f3cc01012e1b6aeab6b4700ec3ec7d7c21300c99f28

SHA512
9b32cf28adde53192ca21733a1308cabc644f20befbb2b0998623d6346ddc788db286ff882791db45a277003024345a456ee866239f7e38de9186c859b1adf29

Download Submit
C:\Recovery\WindowsRE\sppsvc.exe

Filesize
2.7MB

MD5
72f1f63f2c9a99f71d416da7057c04f1

SHA1
0fbff35be152ca8dcc5f6e9d1d38a99932a877b1

SHA256
d2598c29463c69756e6024093845b0b4682da1fc5bd66e51179cb1cc508ac49e

SHA512
daef366b69de77f5f32bb30552f41ea48ce78b4b367de2e83f9f2852ac3005de564c21e462f9e5ee2b323f6bfecd9bcb99a4348075508fd890f6e632da15815a

Download Submit
C:\Users\Admin\Documents\TextInputHost.exe

Filesize
2.7MB

MD5
51df07eb3fb33e2b5c4cc6654ec12715

SHA1
d2cea96511a22b85c576af49e93ef753b88af21c

SHA256
04c8e216a7cfb3cd953b2828924d7e66ac117c4801209de7d7a8c57eef7d124c

SHA512
fc64d37ef9f4b6778400840987491e7d8b0bdb89efb859337814fe537a0a25eeda4f479aa499f0fe8eccda5c28e656fde67f1642d670ac4b622fed0ace02dd68

Download Submit
C:\Users\Admin\fontdrvhost.exe

Filesize
2.7MB

MD5
814ef4c07e7f1c08e724fff57226e5ff

SHA1
055b0253f4a88b0322a9cb006dc5924ad91bd89f

SHA256
3c7b77d7cf81802211e8acde05ba38ab5c93025f78d5b13c112d3a403d6b3dce

SHA512
9d41b3b9fed82782778ed8149a9ef0d61ffb73420e75cf5113dfd23079418c82bed1c3c47662ddcbefe6a09e6a90139b12790f2f9dca2c45f1282450b041e421

Download Submit
C:\Users\Default\Idle.exe

Filesize
2.7MB

MD5
54350ba9589d7a7209ee6332a58f8597

SHA1
65ea1042aeed3eee6324f593a9b186f148e03f14

SHA256
163a7f6fd781345fcd4d06a9d77ed552032826dd0aa1fbb5992530b51c725070

SHA512
f045ef687e59b0841952933080cf0aef76117dc2c5e69c1869e0142e564fa0a82bf25a788437c2a0b6d0fe4f573154dedfd04e22a230f6f0f74e1d89a0fc27f2

Download Submit
C:\Users\Default\sysmon.exe

Filesize
2.7MB

MD5
938725e042f2bce4428b0651fa64f474

SHA1
3986bbb7aa71252e2ac837f40d4fe340373ba0e7

SHA256
e0deab346b34d597a19a0321841b94b2051d47a1b63ded7ccec0cab7f8554e77

SHA512
a5523db02731f0aec434fca46d844c392934c5262b5ed00ff5859b0c0055ce303eb6a85e38807ee2febe4e09ffaeaa00e8a4ad7f493ca34ce1bae97f50c0d9ae

Download Submit
C:\Users\Public\Music\services.exe

Filesize
2.7MB

MD5
29286e69ad70ecc37aa0e251b3b23137

SHA1
8d546d6d821359d13f3acef8f6db1d5f6111aafd

SHA256
8da9e4731a02f96b72050a55ab515c3db1e9eb70655c5d95ef7a317de6be83f9

SHA512
73c8b12cb1731bdffb649f8db555e0f5d6a97731874c5ef140396d20e251bd02dd21d6b4fc4669b3a2fd5074b47a2f677065131ea97befd6136e34b5bbc71014

Download Submit
memory/968-344-0x000000001B740000-0x000000001B752000-memory.dmp

Filesize
72KB

Download
memory/968-343-0x0000000000740000-0x00000000009F4000-memory.dmp

Filesize
2.7MB

Download
memory/1520-18-0x000000001B6E0000-0x000000001B6EE000-memory.dmp

Filesize
56KB

Download
memory/1520-9-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/1520-14-0x000000001BC00000-0x000000001C128000-memory.dmp

Filesize
5.2MB

Download
memory/1520-15-0x000000001B0B0000-0x000000001B0B8000-memory.dmp

Filesize
32KB

Download
memory/1520-16-0x000000001B6D0000-0x000000001B6D8000-memory.dmp

Filesize
32KB

Download
memory/1520-17-0x000000001B7E0000-0x000000001B7EC000-memory.dmp

Filesize
48KB

Download
memory/1520-0-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/1520-19-0x000000001B6F0000-0x000000001B6FC000-memory.dmp

Filesize
48KB

Download
memory/1520-20-0x000000001B700000-0x000000001B70A000-memory.dmp

Filesize
40KB

Download
memory/1520-21-0x000000001B710000-0x000000001B71C000-memory.dmp

Filesize
48KB

Download
memory/1520-12-0x0000000002630000-0x0000000002638000-memory.dmp

Filesize
32KB

Download
memory/1520-11-0x00000000025E0000-0x0000000002636000-memory.dmp

Filesize
344KB

Download
memory/1520-10-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/1520-13-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1520-190-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/1520-213-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1520-8-0x0000000000CF0000-0x0000000000D06000-memory.dmp

Filesize
88KB

Download
memory/1520-7-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/1520-6-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/1520-5-0x0000000002660000-0x00000000026B0000-memory.dmp

Filesize
320KB

Download
memory/1520-4-0x0000000000CA0000-0x0000000000CBC000-memory.dmp

Filesize
112KB

Download
memory/1520-3-0x0000000000C90000-0x0000000000C9E000-memory.dmp

Filesize
56KB

Download
memory/1520-342-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1520-2-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/1520-1-0x0000000000080000-0x0000000000334000-memory.dmp

Filesize
2.7MB

Download