dcrat | 4e5088984e5d2304a531271ae248973b36e6d96a7f48f0dc56a92ffd951452fc

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

067dba33ec6de2a7e733bb64a32ebb10.exe
Size

5.9MB
MD5

067dba33ec6de2a7e733bb64a32ebb10
SHA1

dbc8075ee823d50d3a6a058d582ee417e51b32fb
SHA256

268c2bd3bec29465845b7dc6d979a366f4f155e406ce4486ba41953061641f35
SHA512

de4efdcf0984e4368b60e2c52a276d0a4d24aa4348eb46aafc66e47c4729e1c49b0446b5b7a4e3483e4a8437bacace125d0710da9fbac9ad988c8328d7ee088e
SSDEEP

98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4V:ByeU11Rvqmu8TWKnF6N/1wU

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	184	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	3008	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3008	schtasks.exe	89

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	067dba33ec6de2a7e733bb64a32ebb10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	067dba33ec6de2a7e733bb64a32ebb10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	067dba33ec6de2a7e733bb64a32ebb10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe
2880	powershell.exe
1792	powershell.exe
3328	powershell.exe
4604	powershell.exe
3860	powershell.exe
3808	powershell.exe
4124	powershell.exe
4116	powershell.exe
1116	powershell.exe
4308	powershell.exe
2728	powershell.exe
4792	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	067dba33ec6de2a7e733bb64a32ebb10.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	067dba33ec6de2a7e733bb64a32ebb10.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 3 IoCs

pid	Process
5436	services.exe
1148	services.exe
5292	services.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	067dba33ec6de2a7e733bb64a32ebb10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	067dba33ec6de2a7e733bb64a32ebb10.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
5436	services.exe
5436	services.exe
1148	services.exe
1148	services.exe
5292	services.exe
5292	services.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\886983d96e3d3e	067dba33ec6de2a7e733bb64a32ebb10.exe
File created	C:\Program Files\Internet Explorer\images\0a1fd5f707cd16	067dba33ec6de2a7e733bb64a32ebb10.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\SearchApp.exe	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCXBA26.tmp	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RCXBA37.tmp	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\RCXC762.tmp	067dba33ec6de2a7e733bb64a32ebb10.exe
File created	C:\Program Files\Internet Explorer\images\sppsvc.exe	067dba33ec6de2a7e733bb64a32ebb10.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\38384e6a620884	067dba33ec6de2a7e733bb64a32ebb10.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe	067dba33ec6de2a7e733bb64a32ebb10.exe
File created	C:\Program Files\Crashpad\attachments\csrss.exe	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCXB2CD.tmp	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\RCXB35B.tmp	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\SearchApp.exe	067dba33ec6de2a7e733bb64a32ebb10.exe
File created	C:\Program Files\Windows Media Player\Icons\services.exe	067dba33ec6de2a7e733bb64a32ebb10.exe
File created	C:\Program Files\Crashpad\attachments\886983d96e3d3e	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXB802.tmp	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files\Crashpad\attachments\RCXB812.tmp	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files\Crashpad\attachments\csrss.exe	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files\Internet Explorer\images\sppsvc.exe	067dba33ec6de2a7e733bb64a32ebb10.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\RCXC752.tmp	067dba33ec6de2a7e733bb64a32ebb10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	067dba33ec6de2a7e733bb64a32ebb10.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1992	schtasks.exe
1688	schtasks.exe
4792	schtasks.exe
5076	schtasks.exe
4068	schtasks.exe
1788	schtasks.exe
3780	schtasks.exe
4608	schtasks.exe
4508	schtasks.exe
2784	schtasks.exe
2128	schtasks.exe
2312	schtasks.exe
2728	schtasks.exe
4664	schtasks.exe
1040	schtasks.exe
3172	schtasks.exe
632	schtasks.exe
3356	schtasks.exe
552	schtasks.exe
1708	schtasks.exe
600	schtasks.exe
1416	schtasks.exe
3092	schtasks.exe
3232	schtasks.exe
3716	schtasks.exe
1100	schtasks.exe
4516	schtasks.exe
3120	schtasks.exe
4040	schtasks.exe
1116	schtasks.exe
816	schtasks.exe
812	schtasks.exe
824	schtasks.exe
656	schtasks.exe
4736	schtasks.exe
2216	schtasks.exe
1512	schtasks.exe
184	schtasks.exe
4620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
4656	067dba33ec6de2a7e733bb64a32ebb10.exe
3860	powershell.exe
3860	powershell.exe
4116	powershell.exe
4116	powershell.exe
4308	powershell.exe
4308	powershell.exe
2728	powershell.exe
2728	powershell.exe
1792	powershell.exe
1116	powershell.exe
1792	powershell.exe
1116	powershell.exe
2880	powershell.exe
2880	powershell.exe
1688	powershell.exe
1688	powershell.exe
4792	powershell.exe
4792	powershell.exe
4604	powershell.exe
4604	powershell.exe
4116	powershell.exe
4124	powershell.exe
4124	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	067dba33ec6de2a7e733bb64a32ebb10.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	5436	services.exe
Token: SeDebugPrivilege	1148	services.exe
Token: SeDebugPrivilege	5292	services.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 2880	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	134
PID 4656 wrote to memory of 2880	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	134
PID 4656 wrote to memory of 4116	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	135
PID 4656 wrote to memory of 4116	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	135
PID 4656 wrote to memory of 4124	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	136
PID 4656 wrote to memory of 4124	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	136
PID 4656 wrote to memory of 3808	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	137
PID 4656 wrote to memory of 3808	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	137
PID 4656 wrote to memory of 3860	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	139
PID 4656 wrote to memory of 3860	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	139
PID 4656 wrote to memory of 1688	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	140
PID 4656 wrote to memory of 1688	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	140
PID 4656 wrote to memory of 4604	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	142
PID 4656 wrote to memory of 4604	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	142
PID 4656 wrote to memory of 4792	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	143
PID 4656 wrote to memory of 4792	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	143
PID 4656 wrote to memory of 2728	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	145
PID 4656 wrote to memory of 2728	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	145
PID 4656 wrote to memory of 4308	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	146
PID 4656 wrote to memory of 4308	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	146
PID 4656 wrote to memory of 3328	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	147
PID 4656 wrote to memory of 3328	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	147
PID 4656 wrote to memory of 1792	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	148
PID 4656 wrote to memory of 1792	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	148
PID 4656 wrote to memory of 1116	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	149
PID 4656 wrote to memory of 1116	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	149
PID 4656 wrote to memory of 368	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	160
PID 4656 wrote to memory of 368	4656	067dba33ec6de2a7e733bb64a32ebb10.exe	160
PID 368 wrote to memory of 656	368	cmd.exe	162
PID 368 wrote to memory of 656	368	cmd.exe	162
PID 368 wrote to memory of 5436	368	cmd.exe	164
PID 368 wrote to memory of 5436	368	cmd.exe	164
PID 5436 wrote to memory of 5656	5436	services.exe	165
PID 5436 wrote to memory of 5656	5436	services.exe	165
PID 5436 wrote to memory of 5704	5436	services.exe	166
PID 5436 wrote to memory of 5704	5436	services.exe	166
PID 5656 wrote to memory of 1148	5656	WScript.exe	175
PID 5656 wrote to memory of 1148	5656	WScript.exe	175
PID 1148 wrote to memory of 412	1148	services.exe	177
PID 1148 wrote to memory of 412	1148	services.exe	177
PID 1148 wrote to memory of 2464	1148	services.exe	178
PID 1148 wrote to memory of 2464	1148	services.exe	178
PID 412 wrote to memory of 5292	412	WScript.exe	179
PID 412 wrote to memory of 5292	412	WScript.exe	179
PID 5292 wrote to memory of 5548	5292	services.exe	180
PID 5292 wrote to memory of 5548	5292	services.exe	180
PID 5292 wrote to memory of 5696	5292	services.exe	181
PID 5292 wrote to memory of 5696	5292	services.exe	181

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	067dba33ec6de2a7e733bb64a32ebb10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	067dba33ec6de2a7e733bb64a32ebb10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	067dba33ec6de2a7e733bb64a32ebb10.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\067dba33ec6de2a7e733bb64a32ebb10.exe
"C:\Users\Admin\AppData\Local\Temp\067dba33ec6de2a7e733bb64a32ebb10.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/0154351536fc379faee1/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/3ac54ddf2ad44faa6035cf/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MRQQXNJTrT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:656
- - C:\Recovery\WindowsRE\services.exe
    "C:\Recovery\WindowsRE\services.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5436
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a0a3a6b-8e92-4af9-8a1c-562859dabfa6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5656
    - - C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1148
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45bf5cf0-1e6f-4cc7-8545-497c6df36b49.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\515ae659-294b-48bb-a6c6-189812309055.vbs"
        8⤵
        
        PID:5548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1429446-0cd5-451e-a329-67ecdca9513d.vbs"
        8⤵
        
        PID:5696
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\697e99fd-eef2-44c7-bbd4-26fc46f0d2f6.vbs"
        6⤵
        
        PID:2464
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9aaca5f2-7e19-473a-9f46-0d464a1781a4.vbs"
      4⤵
      PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\0154351536fc379faee1\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\0154351536fc379faee1\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\0154351536fc379faee1\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Crashpad\attachments\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\images\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\3ac54ddf2ad44faa6035cf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\3ac54ddf2ad44faa6035cf\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\3ac54ddf2ad44faa6035cf\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Oracle\Java\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0154351536fc379faee1\smss.exe

Filesize
5.9MB

MD5
067dba33ec6de2a7e733bb64a32ebb10

SHA1
dbc8075ee823d50d3a6a058d582ee417e51b32fb

SHA256
268c2bd3bec29465845b7dc6d979a366f4f155e406ce4486ba41953061641f35

SHA512
de4efdcf0984e4368b60e2c52a276d0a4d24aa4348eb46aafc66e47c4729e1c49b0446b5b7a4e3483e4a8437bacace125d0710da9fbac9ad988c8328d7ee088e

Download Submit
C:\Program Files (x86)\Internet Explorer\SIGNUP\csrss.exe

Filesize
5.9MB

MD5
5f55d85e9dc7ec3709a7f4ea833405dd

SHA1
a95c2ecef1fdbf7f96d92e7e18c479904e2a49be

SHA256
7a1d79d453039901ba59e8c38995ae18ed322913dc41df24b49527b25016cf74

SHA512
83d10f9fc30bddd6ef2ff87095b7bda1dd8c0e7b582b68658834b0b92dc4f8805e15914bc46675c3a4132bc6a8215d64839b9bd2c1c5a1ac272a9fbf4fb5ae46

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
5.9MB

MD5
92c630afcbc8fbbbe3e443044ef605d2

SHA1
2c4a8a82043b7209bcb2c3a9f44b09f8d4f22803

SHA256
19c31c4857b2998e0ed8847183daf4aae19560ad6124d49e0a2044ce708473a6

SHA512
701889e9b0ec46be3853f8f329596fbbc709dff17bb2ae4a318e9dabad395e793cbe85575983df587ac7387bc0187ba3f4470da46fdbe07904b75c2a47984e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f68785608a60c0961b2926f9c4d4ff87

SHA1
e90357d9a679b851acf30e5e7aa6f76f2e6d3bb4

SHA256
edeed8daa6363551c6ffe770dc95fc9a767da6a020004c61c8e3d81eccb9d673

SHA512
fa369a235b3d4375e7856e39f42b17fb118fadb0b48fbe71074fa47354d0713662b950142ab5083c01cc850f79bbb0abe154eefe0e754b9b76e8d3b330daf652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd1e1eb6a048e036091c96bdc35a80f2

SHA1
647970199ff6cf12e9d62f5d42030b50ec2fd319

SHA256
f2a37d987731acdcd4887580e12dc5adef0f76c2f8566b071124973ccc49a5fa

SHA512
17571b418a955ac9349b99b03a11560f35a05633cb6146b4ac2b6854e72a215b8cbae9528e1634ac3fafc96f25bffc81c84719305b53cf6e01a97e6669cc05f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
16e669660431a76b6985bae6a3e0ca0f

SHA1
55aead2478e085cc4fa52035dc6d3e9ceb856485

SHA256
df0d9b2a6f0538cdf02e7f2a69db35dbf92a48fb81fcf58c12f1f0ad2ea13fe2

SHA512
ba3a159eca907f8cd6bce2a66b334250e1c6a3b60f14e2cd1ab8dbd0baf33b7b385d834ed1aa3ccb013711cbaf7607d51e7107f1f1783f46595a99a15d5a7d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ea2f44a25582e20c2e1d21c73bbd4fa1

SHA1
d63ef1804bad1a542aeb3cf5111cd86a9111d7a1

SHA256
43ec39d124ebadf53f254b9aef5f1d2f73526a681682d0409af5e34beb8737d8

SHA512
49ed57cd127b56793cf2bc1dfae0ccb45d3a9eaaf9475ea7ec65b4d6782c0b846b832bedfa19e65c4b54d7a7b19dfd177bfcb3e0fadad8640c4bb6515ee2c835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
86ff644f9a06688655f1c9fab80c2287

SHA1
42a285e478bbf312195d5356f22064bc9195de97

SHA256
53c83b1ce3c2769f42b262235c766cdd07271385b0af9c295eee349418fa8834

SHA512
d26f6b7313d08ae832ed492c2a6fc60f83d0c1f2f444bd1d501a8d238c4772a9250e88405fc7a2a027e2d7a517a1f89f838096446f191349f7fa6df26457fd78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
daa089218fdc061e9ac7982ae6f8d334

SHA1
02628c148f3d35f8e5e61060a2aa2c8757167238

SHA256
cdd7a4ffec6acd211d98541acf1d4d5ef2852fa4d73b4182392f04f1c6d165ec

SHA512
f59ae59d0b8906b1e9685501d2d2981b0dbb1e104e38353a26559ad1fce76f55d184bc14d56596f0e25c4e21a39fcdf66fd0d7472d3e301f1743715dd684e14d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1876c6ca0729e2544827f203851c080c

SHA1
bc9355e48d75148605338862957245f8c9405775

SHA256
30e44fbc9b4d228c2392da942d647c69a3edd18491720c3d5f4e32a518b2218a

SHA512
4334f7e5da5646898c9573c417311571e323afad1362d472c0032448c252dade3c2509357fbd25ae422c4b28ccd744709ec23898ea38853ebb5a457970ac030f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c88f5f103e9375dc09ed9111f780e6ac

SHA1
f4bfc56f2c79364a5a32ca575329de6d7f648661

SHA256
a159d1dfb8d72e4f3db774b7a7c841cb3fefc1655bf5a705c87ae022b9189ea5

SHA512
31d29b73dd24f1b223b7cfbeca129834f9eac0999bed647784bb933e0dfbb0ad70c003dd70b7cea1049d33d9d189bf80c285be45d4ffd8cf9fa0732be542a4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\45bf5cf0-1e6f-4cc7-8545-497c6df36b49.vbs

Filesize
710B

MD5
81d59d8bf354384243c516a04e0a812c

SHA1
704e0da1ade032dfa94e36b01007f020fd9408fa

SHA256
21b266a55a36f744045a874fb748ae041647a0cab222382575465c26cc032c46

SHA512
9971d5a65bc4e56d0d7e146c096ca6c3e12b06cb807d6195e410be98e2cf843139901589517264a303a9cc396252e894cb80db8ee8216e5efaa067dd8c2a7fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\515ae659-294b-48bb-a6c6-189812309055.vbs

Filesize
710B

MD5
71f1b2b52f99b5af13c497a12f318cd6

SHA1
079a925bf30ccf8c444f5af283d7ff4b742e7962

SHA256
62a7bb51da9553b8a269439ae02bd71256973a241be6059c6ec779c74080cf59

SHA512
2908f5e9cbb69fa123c758b808238d32289cab2e03f5e2c285334edc2daca37d82a0fc5d1566db13e5db17133bc6935e69c4d81351de9581bc08d7d67fc0ea87

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a0a3a6b-8e92-4af9-8a1c-562859dabfa6.vbs

Filesize
710B

MD5
6937d41b4a44722e697aa03a8aa3ba2d

SHA1
3a95e209527af1f852fd39953c2306eff2731d86

SHA256
9fb383881a9d1bc257846dd5a91597a7a61a013aee7a9f4ea103612922db24b9

SHA512
880d15559c654560881888c302390b21f4b442c8901913ac1064385f7f8fb631be0ae47b2ded3e1a6cebf8d1fa4283ac2e0ff33f53749671b9c8f5aa45180fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\9aaca5f2-7e19-473a-9f46-0d464a1781a4.vbs

Filesize
486B

MD5
58949e3b3d234b96d3c16c3700116ba8

SHA1
97320cafa7bb41974b82e76718a5dfdc3c7a71fc

SHA256
b13cd85f219dfb828b85295145655b081cf3160c8985995a557254361c81bbf8

SHA512
bedf8db8cdb74ad6726bbd5e754b0700c968012bcde3d4933f72a19df6f3c91813d2ae461118131b8c0121c602431a67e1783bd32f9ff8bf1ed9236e22d7a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRQQXNJTrT.bat

Filesize
199B

MD5
edd8f1a0bc287730d70dca50dc1a33cc

SHA1
1f9841b841e166fc3247b5145744cd311b9f4887

SHA256
a9d8c8d33f1986844ad820adf5acf6313804621379cafc441c3255b3d0f79888

SHA512
190e9bab243060ebc265561a57b3c89d3fa25e407a84c060abb965a2a13ca4136f99ece315f888e24e38758009a0d74f5611ba7d0ef02db224f76b4081e5dd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gnts213b.0hj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Default\AppData\Local\explorer.exe

Filesize
5.9MB

MD5
fbd652833fc446f1f278387a93abb4e0

SHA1
bfe7a168c07eb38c25b3aaea52e170931825c4f8

SHA256
4985982e0c557e680f76795abd52abfb874fbc9791354899ab13b41999279201

SHA512
9cea6588df697f0e06a8044f7cc54f7864409a979e03e1d832bff9e3ac4de665b5791a9308335a1c75f140f08e285fe5a3171cca0c6f3d0895e0d4953043e001

Download Submit
memory/4116-237-0x000001C6F16E0000-0x000001C6F1702000-memory.dmp

Filesize
136KB

Download
memory/4656-19-0x000000001D2C0000-0x000000001D2CC000-memory.dmp

Filesize
48KB

Download
memory/4656-24-0x000000001D300000-0x000000001D312000-memory.dmp

Filesize
72KB

Download
memory/4656-6-0x000000001B840000-0x000000001B848000-memory.dmp

Filesize
32KB

Download
memory/4656-29-0x000000001D360000-0x000000001D36C000-memory.dmp

Filesize
48KB

Download
memory/4656-28-0x000000001D350000-0x000000001D358000-memory.dmp

Filesize
32KB

Download
memory/4656-32-0x000000001D590000-0x000000001D59C000-memory.dmp

Filesize
48KB

Download
memory/4656-38-0x000000001D5F0000-0x000000001D5FC000-memory.dmp

Filesize
48KB

Download
memory/4656-40-0x000000001D610000-0x000000001D61A000-memory.dmp

Filesize
40KB

Download
memory/4656-41-0x000000001D620000-0x000000001D62C000-memory.dmp

Filesize
48KB

Download
memory/4656-39-0x000000001D600000-0x000000001D608000-memory.dmp

Filesize
32KB

Download
memory/4656-37-0x000000001D5E0000-0x000000001D5E8000-memory.dmp

Filesize
32KB

Download
memory/4656-36-0x000000001D5D0000-0x000000001D5DE000-memory.dmp

Filesize
56KB

Download
memory/4656-35-0x000000001D5C0000-0x000000001D5C8000-memory.dmp

Filesize
32KB

Download
memory/4656-34-0x000000001D5B0000-0x000000001D5BE000-memory.dmp

Filesize
56KB

Download
memory/4656-33-0x000000001D5A0000-0x000000001D5AA000-memory.dmp

Filesize
40KB

Download
memory/4656-31-0x000000001D580000-0x000000001D588000-memory.dmp

Filesize
32KB

Download
memory/4656-20-0x000000001D2D0000-0x000000001D2D8000-memory.dmp

Filesize
32KB

Download
memory/4656-30-0x000000001D370000-0x000000001D37C000-memory.dmp

Filesize
48KB

Download
memory/4656-27-0x000000001D340000-0x000000001D34C000-memory.dmp

Filesize
48KB

Download
memory/4656-26-0x000000001D330000-0x000000001D33C000-memory.dmp

Filesize
48KB

Download
memory/4656-25-0x000000001D860000-0x000000001DD88000-memory.dmp

Filesize
5.2MB

Download
memory/4656-21-0x000000001D2E0000-0x000000001D2EC000-memory.dmp

Filesize
48KB

Download
memory/4656-22-0x000000001D2F0000-0x000000001D2F8000-memory.dmp

Filesize
32KB

Download
memory/4656-7-0x000000001B850000-0x000000001B86C000-memory.dmp

Filesize
112KB

Download
memory/4656-212-0x00007FFC919E3000-0x00007FFC919E5000-memory.dmp

Filesize
8KB

Download
memory/4656-231-0x00007FFC919E0000-0x00007FFC924A1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-16-0x000000001BA30000-0x000000001BA40000-memory.dmp

Filesize
64KB

Download
memory/4656-0-0x00007FFC919E3000-0x00007FFC919E5000-memory.dmp

Filesize
8KB

Download
memory/4656-18-0x000000001D270000-0x000000001D2C6000-memory.dmp

Filesize
344KB

Download
memory/4656-17-0x000000001D260000-0x000000001D26A000-memory.dmp

Filesize
40KB

Download
memory/4656-8-0x000000001D100000-0x000000001D150000-memory.dmp

Filesize
320KB

Download
memory/4656-15-0x000000001BA20000-0x000000001BA28000-memory.dmp

Filesize
32KB

Download
memory/4656-14-0x000000001D250000-0x000000001D25C000-memory.dmp

Filesize
48KB

Download
memory/4656-11-0x000000001B9E0000-0x000000001B9F6000-memory.dmp

Filesize
88KB

Download
memory/4656-12-0x000000001BA00000-0x000000001BA08000-memory.dmp

Filesize
32KB

Download
memory/4656-13-0x000000001BA10000-0x000000001BA22000-memory.dmp

Filesize
72KB

Download
memory/4656-9-0x000000001B9C0000-0x000000001B9C8000-memory.dmp

Filesize
32KB

Download
memory/4656-10-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

Filesize
64KB

Download
memory/4656-1-0x0000000000370000-0x0000000000C68000-memory.dmp

Filesize
9.0MB

Download
memory/4656-5-0x0000000002E50000-0x0000000002E5E000-memory.dmp

Filesize
56KB

Download
memory/4656-4-0x0000000002CE0000-0x0000000002CEE000-memory.dmp

Filesize
56KB

Download
memory/4656-3-0x00007FFC919E0000-0x00007FFC924A1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-2-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/5292-406-0x000000001DB50000-0x000000001DB62000-memory.dmp

Filesize
72KB

Download
memory/5436-380-0x000000001EAE0000-0x000000001EAF2000-memory.dmp

Filesize
72KB

Download