dcrat | 7ddbec7fac00ec5624f45da5879ebfa97d95b21c7842cbaa1058daa46a47bd41

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Size

5.9MB
MD5

c3aaa8d0678c59cfe55a289d29c5b3d1
SHA1

2c592322b164e7fa9282bfdb7a650dbe4d41492c
SHA256

c18fdffa9d1b4bc8ae2f14f8685b9dcad5d250760d0fe059c522115dac9a3d24
SHA512

e36f85f15ee3e026fcac40603e8985277f1196d2435cb95c24ffa9afc1dbd09c69474be0d601c7b6a6c67bec203369cfb1e67aa6db1ae1a0056910b12bd70408
SSDEEP

98304:ByeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4G:ByeU11Rvqmu8TWKnF6N/1w3

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	3400	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	3400	schtasks.exe	87

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4220	powershell.exe
3872	powershell.exe
3752	powershell.exe
2944	powershell.exe
2380	powershell.exe
4456	powershell.exe
2396	powershell.exe
2200	powershell.exe
1224	powershell.exe
2760	powershell.exe
2764	powershell.exe
4384	powershell.exe
4504	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c3aaa8d0678c59cfe55a289d29c5b3d1.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 3 IoCs

pid	Process
5168	backgroundTaskHost.exe
832	backgroundTaskHost.exe
1740	backgroundTaskHost.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
5168	backgroundTaskHost.exe
5168	backgroundTaskHost.exe
832	backgroundTaskHost.exe
832	backgroundTaskHost.exe
1740	backgroundTaskHost.exe
1740	backgroundTaskHost.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\RCXAA6F.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\TextInputHost.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\22eafd247d37c3	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\backgroundTaskHost.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\csrss.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\5940a34987c991	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXA626.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\TextInputHost.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\886983d96e3d3e	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\RCXAA70.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCXAD01.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\csrss.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\eddb19405b7ce1	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\RCXAD12.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXB13B.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXA615.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\backgroundTaskHost.exe	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXB13C.tmp	c3aaa8d0678c59cfe55a289d29c5b3d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Key created	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings	backgroundTaskHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1144	schtasks.exe
3172	schtasks.exe
2152	schtasks.exe
3716	schtasks.exe
4384	schtasks.exe
828	schtasks.exe
3792	schtasks.exe
5072	schtasks.exe
5064	schtasks.exe
4000	schtasks.exe
672	schtasks.exe
4064	schtasks.exe
4080	schtasks.exe
1740	schtasks.exe
5100	schtasks.exe
1660	schtasks.exe
1532	schtasks.exe
640	schtasks.exe
2652	schtasks.exe
1324	schtasks.exe
3936	schtasks.exe
4884	schtasks.exe
3368	schtasks.exe
4456	schtasks.exe
3672	schtasks.exe
2648	schtasks.exe
1092	schtasks.exe
676	schtasks.exe
2900	schtasks.exe
864	schtasks.exe
4108	schtasks.exe
4144	schtasks.exe
2760	schtasks.exe
1848	schtasks.exe
4764	schtasks.exe
4864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
2764	powershell.exe
2764	powershell.exe
4456	powershell.exe
4456	powershell.exe
3872	powershell.exe
3872	powershell.exe
2944	powershell.exe
2944	powershell.exe
2380	powershell.exe
2380	powershell.exe
2760	powershell.exe
2760	powershell.exe
3752	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	5168	backgroundTaskHost.exe
Token: SeDebugPrivilege	832	backgroundTaskHost.exe
Token: SeDebugPrivilege	1740	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4456	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	129
PID 4588 wrote to memory of 4456	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	129
PID 4588 wrote to memory of 2380	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	130
PID 4588 wrote to memory of 2380	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	130
PID 4588 wrote to memory of 2944	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	131
PID 4588 wrote to memory of 2944	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	131
PID 4588 wrote to memory of 2764	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	133
PID 4588 wrote to memory of 2764	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	133
PID 4588 wrote to memory of 3752	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	134
PID 4588 wrote to memory of 3752	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	134
PID 4588 wrote to memory of 3872	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	136
PID 4588 wrote to memory of 3872	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	136
PID 4588 wrote to memory of 4220	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	137
PID 4588 wrote to memory of 4220	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	137
PID 4588 wrote to memory of 2760	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	139
PID 4588 wrote to memory of 2760	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	139
PID 4588 wrote to memory of 1224	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	140
PID 4588 wrote to memory of 1224	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	140
PID 4588 wrote to memory of 2200	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	141
PID 4588 wrote to memory of 2200	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	141
PID 4588 wrote to memory of 4504	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	142
PID 4588 wrote to memory of 4504	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	142
PID 4588 wrote to memory of 2396	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	143
PID 4588 wrote to memory of 2396	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	143
PID 4588 wrote to memory of 4384	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	145
PID 4588 wrote to memory of 4384	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	145
PID 4588 wrote to memory of 5168	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	155
PID 4588 wrote to memory of 5168	4588	c3aaa8d0678c59cfe55a289d29c5b3d1.exe	155
PID 5168 wrote to memory of 5664	5168	backgroundTaskHost.exe	157
PID 5168 wrote to memory of 5664	5168	backgroundTaskHost.exe	157
PID 5168 wrote to memory of 5716	5168	backgroundTaskHost.exe	158
PID 5168 wrote to memory of 5716	5168	backgroundTaskHost.exe	158
PID 5664 wrote to memory of 832	5664	WScript.exe	167
PID 5664 wrote to memory of 832	5664	WScript.exe	167
PID 832 wrote to memory of 2588	832	backgroundTaskHost.exe	168
PID 832 wrote to memory of 2588	832	backgroundTaskHost.exe	168
PID 832 wrote to memory of 4036	832	backgroundTaskHost.exe	169
PID 832 wrote to memory of 4036	832	backgroundTaskHost.exe	169
PID 2588 wrote to memory of 1740	2588	WScript.exe	171
PID 2588 wrote to memory of 1740	2588	WScript.exe	171
PID 1740 wrote to memory of 2892	1740	backgroundTaskHost.exe	172
PID 1740 wrote to memory of 2892	1740	backgroundTaskHost.exe	172
PID 1740 wrote to memory of 1400	1740	backgroundTaskHost.exe	173
PID 1740 wrote to memory of 1400	1740	backgroundTaskHost.exe	173

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	c3aaa8d0678c59cfe55a289d29c5b3d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c3aaa8d0678c59cfe55a289d29c5b3d1.exe
"C:\Users\Admin\AppData\Local\Temp\c3aaa8d0678c59cfe55a289d29c5b3d1.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/0154351536fc379faee1/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/3ac54ddf2ad44faa6035cf/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Recovery\WindowsRE\backgroundTaskHost.exe
  "C:\Recovery\WindowsRE\backgroundTaskHost.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5168
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\586de3b3-653a-4ff6-aa58-5f188f020ac3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5664
  - - C:\Recovery\WindowsRE\backgroundTaskHost.exe
      C:\Recovery\WindowsRE\backgroundTaskHost.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:832
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b30c2bb-531e-414e-863b-51b43fb39d79.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Recovery\WindowsRE\backgroundTaskHost.exe
        
        C:\Recovery\WindowsRE\backgroundTaskHost.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6f9f0c9-2da7-4c39-8e5b-5f8eb478e0bd.vbs"
        7⤵
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adbdd994-25bd-46b6-bbe0-bf0b409a1e8d.vbs"
        7⤵
        
        PID:1400
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe13d56c-1bc6-44a1-9841-f4a9a2d04fdf.vbs"
        5⤵
        
        PID:4036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\876ef4cb-8f6a-4066-b329-e753e14538d8.vbs"
    3⤵
    PID:5716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Links\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\0154351536fc379faee1\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\3ac54ddf2ad44faa6035cf\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe

Filesize
5.9MB

MD5
3cb372420ad2a7236ea1e551f5123308

SHA1
b5f75a0f5c46b086db7643f7f24dc609d2d27554

SHA256
7f0b1d0b4f02770c6b0f3ce26757f3a9bae5edbf226ae8fac4166808ed2ab820

SHA512
274b5bd6d42bcc29877094e115f2fc506d93eaa541919332585b141390e0a0ba3b1c90453dd1594898e16c03c0bb5cda2f0c349748f76c3bcc974fec50d2d2c2

Download Submit
C:\Recovery\WindowsRE\backgroundTaskHost.exe

Filesize
5.9MB

MD5
60a1b8fa8fe245e6704dbb7207dad7c5

SHA1
d3297c5225f429d4a15904d81505b2ec9637b4df

SHA256
a1178e57b713fb2ee199a1a4d916246073a136e5d56f36bae266fe4177f16de3

SHA512
b0d5d35c55e6bb85a04779f4b10480f23f5251099c12ebea2cd1005b90a207938fa16851e293cc5769d4b817d44f09b50c587c86d1cbff9cf6b18a0cad860ba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\backgroundTaskHost.exe.log

Filesize
1KB

MD5
229da4b4256a6a948830de7ee5f9b298

SHA1
8118b8ddc115689ca9dc2fe8c244350333c5ba8b

SHA256
3d63b4a66e80ed97a8d74ea9dee7645942aafbd4abf1b31afed1027e5967fe11

SHA512
3a4ec8f720000a32bb1555b32db13236a73bb6e654e35b4de8bdb0fc0de535584bc08ebe25c7066324e86faa33e8f571a11cc4e5ef00be78e2993e228f615224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c667bc406c30dedf08683212c4a204b5

SHA1
4d713119a8483f32461a45e8291a2b8dc1fc4e7d

SHA256
0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

SHA512
1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2044ef36c414ed6e6c991e5fbe7d5bf1

SHA1
0dbd4be869af1290a771fa295db969dc14b2a1fc

SHA256
1b508c6beaa65e0936d9b64f352c2fb87392666d3a96e6e67cb2ba162302b6c6

SHA512
304045461390f2c001bd141036f0d195845508d78ddd52c8e0132e625566e2f1dc0ae982b58323ad2f08c4d1f9d1771d19eb50ec9405eb991c485a4ab7d55b32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd95e4475b8798a58a9e9d19409c1eac

SHA1
571d070dd6315847c4ba334670beffd245a35c45

SHA256
d33812e9c83075812c904e8ea736f744d614cb597e4c7aa4420021e492390729

SHA512
1ad95b0411ffbdeff090c3c71000377027095ecbc8ad27d9b4c8b7b469e669f7d76cd13f7ab2012779b6ac12c5ff2671f4e44fa8d1f2aefae3824ed74a9fa7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fe089fecc1a7897c40a12707d788ca9

SHA1
97f8ab9020333729ec191b3dbd044c57227b84fc

SHA256
70d80df3a3a68fa45dd114205f58cc05df07e22940ec0f0f6172abfccf671e7c

SHA512
4e4feebea709ed3bbfd82ed507d04566593e9cb7bb02ca1056d8ecb6cbcd3b5118be5dee4ee80bf158565a009c05b217bd4c885fb1e01c7d61f5e3d430c940cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4552709998d20ebebb7d79b1e2caba85

SHA1
a136173b2c02a5c678afbfb05d859dcf7fce5e73

SHA256
e96edbb0c4584421178d50c77bb16d7fe8b3839c357c170268dc13c00e8bb435

SHA512
53f623fa2780ceead709084e842a38f01ae921223e2bff2a97e45ad4a792c73e7370e97da4d323a5b857bf446e3295b6422ffa2dbaf68d34a65ebf6751d7d83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c926b492b1d39d04f6e9656ec7f5877d

SHA1
c2cb3c49c5aa9b0616a7ddb11c9a1453855b352a

SHA256
b0beda1f817ee65a341d4792f15dbd70be363835d7ebc3af6302b771295bc907

SHA512
df815fe9c34f85a90c3692534993955ca3c6f57a317f46bd9366152993c5918cd6f376678f9957ae43317bb7f1f5ba65ae175dce8f5e9735749263214e1fe74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b30c2bb-531e-414e-863b-51b43fb39d79.vbs

Filesize
719B

MD5
8f64afe28b3201c3af9bf1c24daadac0

SHA1
da1d3033e821d745225e26e54049db0955c6183c

SHA256
fa8cd087ee2a16c4dcf23a3abad3bad279c7eb877b04a08fcb3c11b7a797fbdb

SHA512
b550c89db781a330bcd11cb6236a879eca284cd092f91e215bec2c1b58db25d4230b5ab5192be144f323d61c4dbe885d41237f2e0b68d756647452489eee3757

Download Submit
C:\Users\Admin\AppData\Local\Temp\586de3b3-653a-4ff6-aa58-5f188f020ac3.vbs

Filesize
720B

MD5
23470024978251a20ee7b60de8806789

SHA1
2d0e31b94817ee03f2848408e3ac51b992dbc940

SHA256
a10efe4cec435ac68fbb56c2191d750edb312d53d9c837fbd38a999136cf25ba

SHA512
4a5e9a970a6c0e1cf7f29dca178f98428aa7ae93fbbe24f2d41caa0fe959c6249efe2fa92a8d461fe35f0d561a2c73440771e0f4f79f5dd412c21c146c221b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\876ef4cb-8f6a-4066-b329-e753e14538d8.vbs

Filesize
496B

MD5
da11b236fdc3b07c43cf983a11881105

SHA1
88b830e62fda6de753a6ee45f242e74f18d176b9

SHA256
e7f72cee7d4d93d338517cbd61be5c7418dd0a8be430b481b54da323483fa531

SHA512
c42de144c0eb6db5641f316263bf43a301ddc9b986efce6c93580f3408ca7608259d20aad5945d134d24006a424d9187670aa9767ebe4063d720e4ea60d0e3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kahl2xnz.01u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6f9f0c9-2da7-4c39-8e5b-5f8eb478e0bd.vbs

Filesize
720B

MD5
045bc7bf61b2dd7327ed91e51a4085fc

SHA1
6451b311ab70a3bec25167a4fbbc4dcd2f1e239f

SHA256
336d79953f994bb43422f35dbc83f6f7eb4ca006ed1140fb3f7e5f4f557ce5c6

SHA512
f293524a649d607977795db253bde04b9762239f81f92487141b0144939929ca81fd47c79ac3d71a32ca952757ba77570aebf7d743b28a0011e4dc65193d4a16

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RuntimeBroker.exe

Filesize
5.9MB

MD5
c3aaa8d0678c59cfe55a289d29c5b3d1

SHA1
2c592322b164e7fa9282bfdb7a650dbe4d41492c

SHA256
c18fdffa9d1b4bc8ae2f14f8685b9dcad5d250760d0fe059c522115dac9a3d24

SHA512
e36f85f15ee3e026fcac40603e8985277f1196d2435cb95c24ffa9afc1dbd09c69474be0d601c7b6a6c67bec203369cfb1e67aa6db1ae1a0056910b12bd70408

Download Submit
memory/1740-457-0x000000001CC40000-0x000000001CD42000-memory.dmp

Filesize
1.0MB

Download
memory/2944-266-0x0000022B6EB90000-0x0000022B6EBB2000-memory.dmp

Filesize
136KB

Download
memory/4588-16-0x000000001BE50000-0x000000001BE60000-memory.dmp

Filesize
64KB

Download
memory/4588-4-0x00000000031E0000-0x00000000031EE000-memory.dmp

Filesize
56KB

Download
memory/4588-39-0x000000001D9C0000-0x000000001D9C8000-memory.dmp

Filesize
32KB

Download
memory/4588-38-0x000000001D9B0000-0x000000001D9BC000-memory.dmp

Filesize
48KB

Download
memory/4588-37-0x000000001D790000-0x000000001D798000-memory.dmp

Filesize
32KB

Download
memory/4588-31-0x000000001D730000-0x000000001D738000-memory.dmp

Filesize
32KB

Download
memory/4588-30-0x000000001D720000-0x000000001D72C000-memory.dmp

Filesize
48KB

Download
memory/4588-29-0x000000001D710000-0x000000001D71C000-memory.dmp

Filesize
48KB

Download
memory/4588-27-0x000000001D6F0000-0x000000001D6FC000-memory.dmp

Filesize
48KB

Download
memory/4588-26-0x000000001D6E0000-0x000000001D6EC000-memory.dmp

Filesize
48KB

Download
memory/4588-25-0x000000001DCE0000-0x000000001E208000-memory.dmp

Filesize
5.2MB

Download
memory/4588-21-0x000000001D7A0000-0x000000001D7AC000-memory.dmp

Filesize
48KB

Download
memory/4588-20-0x000000001D690000-0x000000001D698000-memory.dmp

Filesize
32KB

Download
memory/4588-19-0x000000001BE70000-0x000000001BE7C000-memory.dmp

Filesize
48KB

Download
memory/4588-0-0x00007FF9EE673000-0x00007FF9EE675000-memory.dmp

Filesize
8KB

Download
memory/4588-14-0x000000001BCD0000-0x000000001BCDC000-memory.dmp

Filesize
48KB

Download
memory/4588-13-0x00000000033F0000-0x0000000003402000-memory.dmp

Filesize
72KB

Download
memory/4588-12-0x00000000033E0000-0x00000000033E8000-memory.dmp

Filesize
32KB

Download
memory/4588-11-0x00000000033C0000-0x00000000033D6000-memory.dmp

Filesize
88KB

Download
memory/4588-9-0x0000000003210000-0x0000000003218000-memory.dmp

Filesize
32KB

Download
memory/4588-8-0x000000001BDF0000-0x000000001BE40000-memory.dmp

Filesize
320KB

Download
memory/4588-7-0x0000000003390000-0x00000000033AC000-memory.dmp

Filesize
112KB

Download
memory/4588-6-0x0000000003200000-0x0000000003208000-memory.dmp

Filesize
32KB

Download
memory/4588-40-0x000000001D9D0000-0x000000001D9DA000-memory.dmp

Filesize
40KB

Download
memory/4588-41-0x000000001D9E0000-0x000000001D9EC000-memory.dmp

Filesize
48KB

Download
memory/4588-211-0x00007FF9EE673000-0x00007FF9EE675000-memory.dmp

Filesize
8KB

Download
memory/4588-33-0x000000001D750000-0x000000001D75A000-memory.dmp

Filesize
40KB

Download
memory/4588-34-0x000000001D760000-0x000000001D76E000-memory.dmp

Filesize
56KB

Download
memory/4588-35-0x000000001D770000-0x000000001D778000-memory.dmp

Filesize
32KB

Download
memory/4588-361-0x00007FF9EE670000-0x00007FF9EF131000-memory.dmp

Filesize
10.8MB

Download
memory/4588-1-0x0000000000730000-0x0000000001028000-memory.dmp

Filesize
9.0MB

Download
memory/4588-392-0x00007FF9EE670000-0x00007FF9EF131000-memory.dmp

Filesize
10.8MB

Download
memory/4588-36-0x000000001D780000-0x000000001D78E000-memory.dmp

Filesize
56KB

Download
memory/4588-32-0x000000001D740000-0x000000001D74C000-memory.dmp

Filesize
48KB

Download
memory/4588-28-0x000000001D700000-0x000000001D708000-memory.dmp

Filesize
32KB

Download
memory/4588-2-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/4588-22-0x000000001D6A0000-0x000000001D6A8000-memory.dmp

Filesize
32KB

Download
memory/4588-24-0x000000001D6B0000-0x000000001D6C2000-memory.dmp

Filesize
72KB

Download
memory/4588-18-0x000000001D640000-0x000000001D696000-memory.dmp

Filesize
344KB

Download
memory/4588-17-0x000000001BE60000-0x000000001BE6A000-memory.dmp

Filesize
40KB

Download
memory/4588-15-0x000000001BE40000-0x000000001BE48000-memory.dmp

Filesize
32KB

Download
memory/4588-10-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/4588-5-0x00000000031F0000-0x00000000031FE000-memory.dmp

Filesize
56KB

Download
memory/4588-3-0x00007FF9EE670000-0x00007FF9EF131000-memory.dmp

Filesize
10.8MB

Download
memory/5168-421-0x000000001D2F0000-0x000000001D302000-memory.dmp

Filesize
72KB

Download
memory/5168-391-0x0000000000590000-0x0000000000E88000-memory.dmp

Filesize
9.0MB

Download