dcrat | 9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8

Analysis

max time kernel
104s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2025 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Size

783KB
MD5

3b1535c8901387dfb2f75e34dfec94c7
SHA1

abb6f0f4aa913f150113cf9bc6740645b3464141
SHA256

9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8
SHA512

7fe2e9bc98bca0e76c3c68ae77b6300870ff6509a0ae5b1732e253aae9e529ff72778cbcdc92826453797bf7b5d0c4c0a74dc5f2e7e82bcd005ffd8aa5ff54c1
SSDEEP

12288:mqnOYxdAgpoNeF91rg5iFdr0yQ9gYx+EIpakCYJRU7Q9bWoFzqKh:m+OQbpbgsFdAyQvzSqaq8qI

Score

10^/10

dcrat defense_evasion discovery infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 16 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	100	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	100	schtasks.exe	86

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4144-1-0x0000000000F60000-0x000000000102A000-memory.dmp	dcrat
behavioral2/files/0x000e000000023d5f-33.dat	dcrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
38	2020	Process not Found

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Executes dropped EXE 3 IoCs

pid	Process
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\SyncHost\\dwm.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\SysWOW64\\slmgr\\0407\\RuntimeBroker.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0\\OfficeClickToRun.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Documents and Settings\\dwm.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\ocsetapi\\lsass.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\PerfLogs\\MusNotification.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\Music\\explorer.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\wdmaud\\dwm.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\csrss.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\icfupgd\\RuntimeBroker.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\WinHvPlatform\\RuntimeBroker.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\PerfLogs\\winlogon.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVClient\\OfficeClickToRun.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8 = "\"C:\\ProgramData\\Application Data\\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\splwow64\\sysmon.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8 = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe\""	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\wdmaud\dwm.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\System32\ocsetapi\6203df4a6bafc7c328ee7f6f8ca0a8a838a8a1b9	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\System32\SyncHost\6cb0b6c459d5d3455a3da700e713f2e2529862ff	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\System32\icfupgd\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Windows\System32\WinHvPlatform\RuntimeBroker.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Windows\System32\SyncHost\dwm.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\SysWOW64\slmgr\0407\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Windows\SysWOW64\slmgr\0407\RuntimeBroker.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\System32\wdmaud\6cb0b6c459d5d3455a3da700e713f2e2529862ff	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\System32\ocsetapi\lsass.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Windows\System32\ocsetapi\lsass.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\System32\SyncHost\dwm.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\System32\icfupgd\RuntimeBroker.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\System32\WinHvPlatform\RuntimeBroker.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Windows\System32\icfupgd\RuntimeBroker.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\SysWOW64\slmgr\0407\RuntimeBroker.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Windows\SysWOW64\slmgr\0407\RCXA49E.tmp	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\System32\wdmaud\dwm.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\System32\WinHvPlatform\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient\e6c9b481da804f07baff8eff543b0a1441069b5d	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0\OfficeClickToRun.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient\OfficeClickToRun.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0\OfficeClickToRun.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient\OfficeClickToRun.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0\e6c9b481da804f07baff8eff543b0a1441069b5d	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient\RCXA6A3.tmp	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0\RCXA8C7.tmp	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\f5063dc5687b672d8e5e347a22700aba738a422b	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\splwow64\sysmon.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File created	C:\Windows\splwow64\121e5b5079f7c0e46d90f99b3864022518bbbda9	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
File opened for modification	C:\Windows\splwow64\sysmon.exe	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3040	MicrosoftEdgeUpdate.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1996	schtasks.exe
428	schtasks.exe
4132	schtasks.exe
4992	schtasks.exe
4856	schtasks.exe
468	schtasks.exe
1648	schtasks.exe
3560	schtasks.exe
4352	schtasks.exe
4620	schtasks.exe
2900	schtasks.exe
5052	schtasks.exe
4380	schtasks.exe
4552	schtasks.exe
776	schtasks.exe
4364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Token: SeDebugPrivilege	3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Token: SeDebugPrivilege	5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Token: SeDebugPrivilege	1952	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 2444	4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe	96
PID 4144 wrote to memory of 2444	4144	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe	96
PID 2444 wrote to memory of 1056	2444	cmd.exe	98
PID 2444 wrote to memory of 1056	2444	cmd.exe	98
PID 2444 wrote to memory of 3048	2444	cmd.exe	99
PID 2444 wrote to memory of 3048	2444	cmd.exe	99
PID 3048 wrote to memory of 980	3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe	104
PID 3048 wrote to memory of 980	3048	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe	104
PID 980 wrote to memory of 3604	980	cmd.exe	106
PID 980 wrote to memory of 3604	980	cmd.exe	106
PID 980 wrote to memory of 5032	980	cmd.exe	107
PID 980 wrote to memory of 5032	980	cmd.exe	107
PID 5032 wrote to memory of 4108	5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe	116
PID 5032 wrote to memory of 4108	5032	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe	116
PID 4108 wrote to memory of 3756	4108	cmd.exe	118
PID 4108 wrote to memory of 3756	4108	cmd.exe	118
PID 4108 wrote to memory of 1952	4108	cmd.exe	119
PID 4108 wrote to memory of 1952	4108	cmd.exe	119

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
"C:\Users\Admin\AppData\Local\Temp\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mXbBixG6GR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
    "C:\Users\Admin\AppData\Local\Temp\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn2dHdwKGU.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3604
    - - C:\Users\Admin\AppData\Local\Temp\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5032
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9qTbodlg7f.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3756
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\PerfLogs\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SysWOW64\slmgr\0407\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Music\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8" /sc ONLOGON /tr "'C:\ProgramData\Application Data\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\wdmaud\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\splwow64\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Documents and Settings\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\ocsetapi\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\SyncHost\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\icfupgd\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\WinHvPlatform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\PerfLogs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0Q2MTZEQkUtODBGQi00QUYzLTg0QjUtMzIwRTFBNDg5QUE0fSIgdXNlcmlkPSJ7N0FGQ0REOEItMEFCNy00QzI3LUFFRTAtQzYzNzQ0QzY4Q0IxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTUzOTk3NDYtQUM2RS00Mjk1LUFDNjgtODdFMjQwNzM2OUUzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTc4ODA5NTQyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8.exe.log

Filesize
1KB

MD5
b7c0c43fc7804baaa7dc87152cdc9554

SHA1
1bab62bd56af745678d4e967d91e1ccfdeed4038

SHA256
46386a61f3aaf1b1c2e6efc9fc7e9e9ff16cd13ae58b8d856835771fedb6d457

SHA512
9fda3dd00a3406137e0113f13f78e77b20a76512b35820d38df696842cbbf2e2ebabfb99a3846c9637ecb54af858ec1551521187e379872973006426a253f769

Download Submit
C:\Users\Admin\AppData\Local\Temp\9qTbodlg7f.bat

Filesize
300B

MD5
2e6571857a55f27e03b112c472081b85

SHA1
739cbf83f54739823fd94273fad9a104c312619b

SHA256
036437a87eda854e38353d3bdcb48ea9bca3a0b586a8bb36bf910b0567acefcb

SHA512
7a2ac28aae0e018e58e7759a14893ec2c87dd17bb84ea4c93f8a30d9e8323c9be660119dbb82ef9211b55573e297b345712ff9e6b149d79ed722490cba80a4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rn2dHdwKGU.bat

Filesize
266B

MD5
397f274bfec7b372d6b499f1625a130c

SHA1
8453b3f7edb41965ee2531f0b482599bfc84360f

SHA256
b1d2f216c8c4f4a4ed2b614a862c7a857aabb2be5dc33d216e736874d0228942

SHA512
fc01c55fc2c9788a5c640c9961c0ed735c2a50b4adeb716320be4db04d92f47e0808aeff41f0def324c58a6bfd27d115c8faf2c6e80127b2191e236d17f6dd9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mXbBixG6GR.bat

Filesize
266B

MD5
841669e2c7e5f3603a5d04aee067b783

SHA1
85cfd3e3382e489d9e2f385cc75fd6908622f56e

SHA256
a88d3d03e78a4b71ccb67bb56444c8029a7fd4c57f98f9d00043db1a9a4d88ed

SHA512
f5713b846d3e3b56194f0555492e65854e161957a3d789fc67b8fb1c727c2d91b4b8fd91bc6f181630a72f24ad22d64bd3d99dce67a5b328fd1c052fdacd501c

Download Submit
C:\Users\Default\Music\explorer.exe

Filesize
783KB

MD5
3b1535c8901387dfb2f75e34dfec94c7

SHA1
abb6f0f4aa913f150113cf9bc6740645b3464141

SHA256
9f428b9726cb683d247d51ef8113af549223ec6257a07ccd7654361e262b5fa8

SHA512
7fe2e9bc98bca0e76c3c68ae77b6300870ff6509a0ae5b1732e253aae9e529ff72778cbcdc92826453797bf7b5d0c4c0a74dc5f2e7e82bcd005ffd8aa5ff54c1

Download Submit
memory/1952-145-0x000000001BD80000-0x000000001BE82000-memory.dmp

Filesize
1.0MB

Download
memory/4144-19-0x000000001BB20000-0x000000001BB28000-memory.dmp

Filesize
32KB

Download
memory/4144-8-0x000000001BAD0000-0x000000001BADA000-memory.dmp

Filesize
40KB

Download
memory/4144-13-0x000000001BB30000-0x000000001BB38000-memory.dmp

Filesize
32KB

Download
memory/4144-14-0x000000001BB00000-0x000000001BB08000-memory.dmp

Filesize
32KB

Download
memory/4144-17-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

Filesize
32KB

Download
memory/4144-16-0x000000001BAB0000-0x000000001BAB8000-memory.dmp

Filesize
32KB

Download
memory/4144-18-0x000000001BC80000-0x000000001BC88000-memory.dmp

Filesize
32KB

Download
memory/4144-20-0x000000001BC70000-0x000000001BC78000-memory.dmp

Filesize
32KB

Download
memory/4144-21-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/4144-22-0x000000001BCA0000-0x000000001BCA8000-memory.dmp

Filesize
32KB

Download
memory/4144-0-0x00007FFE95373000-0x00007FFE95375000-memory.dmp

Filesize
8KB

Download
memory/4144-15-0x000000001BB50000-0x000000001BB58000-memory.dmp

Filesize
32KB

Download
memory/4144-11-0x000000001BB10000-0x000000001BB18000-memory.dmp

Filesize
32KB

Download
memory/4144-12-0x000000001BB40000-0x000000001BB48000-memory.dmp

Filesize
32KB

Download
memory/4144-5-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/4144-4-0x0000000003190000-0x0000000003198000-memory.dmp

Filesize
32KB

Download
memory/4144-3-0x0000000003180000-0x0000000003188000-memory.dmp

Filesize
32KB

Download
memory/4144-25-0x00007FFE95370000-0x00007FFE95E31000-memory.dmp

Filesize
10.8MB

Download
memory/4144-26-0x00007FFE95370000-0x00007FFE95E31000-memory.dmp

Filesize
10.8MB

Download
memory/4144-10-0x000000001BAA0000-0x000000001BAA8000-memory.dmp

Filesize
32KB

Download
memory/4144-40-0x00007FFE95370000-0x00007FFE95E31000-memory.dmp

Filesize
10.8MB

Download
memory/4144-9-0x000000001BAF0000-0x000000001BAFA000-memory.dmp

Filesize
40KB

Download
memory/4144-87-0x00007FFE95370000-0x00007FFE95E31000-memory.dmp

Filesize
10.8MB

Download
memory/4144-7-0x00000000031B0000-0x00000000031BC000-memory.dmp

Filesize
48KB

Download
memory/4144-6-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/4144-2-0x00007FFE95370000-0x00007FFE95E31000-memory.dmp

Filesize
10.8MB

Download
memory/4144-1-0x0000000000F60000-0x000000000102A000-memory.dmp

Filesize
808KB

Download