dcrat | 8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1

Analysis

max time kernel
151s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb81b6d0e80118002af4508f2d2df288.exe
Size

5.9MB
MD5

cb81b6d0e80118002af4508f2d2df288
SHA1

d0f10e3d9df31a7528fda382bd759bb27af00920
SHA256

24ab80aa8bf163a7fc00cb6bfa5922269eb438ca6ce02da56016f6579106bfa2
SHA512

028e8bc13cce23c611bf8e1362dc1ceedce8b2d88af4fe8276ae1e631ccb90f3274a23a3e628bd45737a53efe1b08e6851db27823b6eb73b3105012b43083e34
SSDEEP

98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4f:RyeU11Rvqmu8TWKnF6N/1w+

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2768	schtasks.exe	29

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2308	powershell.exe
1480	powershell.exe
3020	powershell.exe
868	powershell.exe
2996	powershell.exe
1692	powershell.exe
1280	powershell.exe
2964	powershell.exe
584	powershell.exe
2232	powershell.exe
1884	powershell.exe
2436	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cb81b6d0e80118002af4508f2d2df288.exe

Executes dropped EXE 3 IoCs

pid	Process
1776	System.exe
1992	System.exe
2964	System.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
1776	System.exe
1776	System.exe
1992	System.exe
1992	System.exe
2964	System.exe
2964	System.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\56085415360792	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\WmiPrvSE.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\24dbde2999530e	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\DVD Maker\lsm.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\WmiPrvSE.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\DVD Maker\lsm.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\RCX22F6.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\Mozilla Firefox\browser\wininit.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\DVD Maker\101b941d020240	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\Windows Media Player\Skins\33f2b1255889c0	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\RCX502.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\RCX168D.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\RCX16AD.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\DVD Maker\RCX1E42.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\RCX2383.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Program Files\Windows Media Player\Skins\cb81b6d0e80118002af4508f2d2df288.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\RCX541.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\DVD Maker\RCX1D95.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\cb81b6d0e80118002af4508f2d2df288.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\wininit.exe	cb81b6d0e80118002af4508f2d2df288.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\en-US\System.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\System.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Windows\Logs\DPX\RCX27EA.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\PolicyDefinitions\en-US\27d1bcfc3c54e0	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\ehome\ja-JP\wininit.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\ehome\ja-JP\56085415360792	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\Logs\DPX\csrss.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Windows\ehome\ja-JP\RCX25A6.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Windows\ehome\ja-JP\wininit.exe	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Windows\Logs\DPX\csrss.exe	cb81b6d0e80118002af4508f2d2df288.exe
File created	C:\Windows\Logs\DPX\886983d96e3d3e	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\RCXF56.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\RCXFE4.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Windows\ehome\ja-JP\RCX25D6.tmp	cb81b6d0e80118002af4508f2d2df288.exe
File opened for modification	C:\Windows\Logs\DPX\RCX280A.tmp	cb81b6d0e80118002af4508f2d2df288.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1980	schtasks.exe
2188	schtasks.exe
1556	schtasks.exe
1676	schtasks.exe
2316	schtasks.exe
2520	schtasks.exe
2364	schtasks.exe
880	schtasks.exe
2392	schtasks.exe
2692	schtasks.exe
2608	schtasks.exe
1964	schtasks.exe
2500	schtasks.exe
1704	schtasks.exe
1724	schtasks.exe
2632	schtasks.exe
2612	schtasks.exe
2864	schtasks.exe
2536	schtasks.exe
1628	schtasks.exe
3048	schtasks.exe
1960	schtasks.exe
2432	schtasks.exe
2084	schtasks.exe
2184	schtasks.exe
2484	schtasks.exe
1824	schtasks.exe
2128	schtasks.exe
2720	schtasks.exe
564	schtasks.exe
1280	schtasks.exe
1564	schtasks.exe
936	schtasks.exe
2304	schtasks.exe
1640	schtasks.exe
2648	schtasks.exe
2964	schtasks.exe
1320	schtasks.exe
1116	schtasks.exe
1916	schtasks.exe
1536	schtasks.exe
764	schtasks.exe
556	schtasks.exe
2684	schtasks.exe
2444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe
868	powershell.exe
2232	powershell.exe
584	powershell.exe
2996	powershell.exe
1280	powershell.exe
2248	cb81b6d0e80118002af4508f2d2df288.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	cb81b6d0e80118002af4508f2d2df288.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1776	System.exe
Token: SeDebugPrivilege	1992	System.exe
Token: SeDebugPrivilege	2964	System.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1480	2248	cb81b6d0e80118002af4508f2d2df288.exe	75
PID 2248 wrote to memory of 1480	2248	cb81b6d0e80118002af4508f2d2df288.exe	75
PID 2248 wrote to memory of 1480	2248	cb81b6d0e80118002af4508f2d2df288.exe	75
PID 2248 wrote to memory of 2308	2248	cb81b6d0e80118002af4508f2d2df288.exe	76
PID 2248 wrote to memory of 2308	2248	cb81b6d0e80118002af4508f2d2df288.exe	76
PID 2248 wrote to memory of 2308	2248	cb81b6d0e80118002af4508f2d2df288.exe	76
PID 2248 wrote to memory of 3020	2248	cb81b6d0e80118002af4508f2d2df288.exe	78
PID 2248 wrote to memory of 3020	2248	cb81b6d0e80118002af4508f2d2df288.exe	78
PID 2248 wrote to memory of 3020	2248	cb81b6d0e80118002af4508f2d2df288.exe	78
PID 2248 wrote to memory of 868	2248	cb81b6d0e80118002af4508f2d2df288.exe	80
PID 2248 wrote to memory of 868	2248	cb81b6d0e80118002af4508f2d2df288.exe	80
PID 2248 wrote to memory of 868	2248	cb81b6d0e80118002af4508f2d2df288.exe	80
PID 2248 wrote to memory of 584	2248	cb81b6d0e80118002af4508f2d2df288.exe	82
PID 2248 wrote to memory of 584	2248	cb81b6d0e80118002af4508f2d2df288.exe	82
PID 2248 wrote to memory of 584	2248	cb81b6d0e80118002af4508f2d2df288.exe	82
PID 2248 wrote to memory of 2996	2248	cb81b6d0e80118002af4508f2d2df288.exe	83
PID 2248 wrote to memory of 2996	2248	cb81b6d0e80118002af4508f2d2df288.exe	83
PID 2248 wrote to memory of 2996	2248	cb81b6d0e80118002af4508f2d2df288.exe	83
PID 2248 wrote to memory of 2964	2248	cb81b6d0e80118002af4508f2d2df288.exe	84
PID 2248 wrote to memory of 2964	2248	cb81b6d0e80118002af4508f2d2df288.exe	84
PID 2248 wrote to memory of 2964	2248	cb81b6d0e80118002af4508f2d2df288.exe	84
PID 2248 wrote to memory of 1692	2248	cb81b6d0e80118002af4508f2d2df288.exe	85
PID 2248 wrote to memory of 1692	2248	cb81b6d0e80118002af4508f2d2df288.exe	85
PID 2248 wrote to memory of 1692	2248	cb81b6d0e80118002af4508f2d2df288.exe	85
PID 2248 wrote to memory of 2232	2248	cb81b6d0e80118002af4508f2d2df288.exe	86
PID 2248 wrote to memory of 2232	2248	cb81b6d0e80118002af4508f2d2df288.exe	86
PID 2248 wrote to memory of 2232	2248	cb81b6d0e80118002af4508f2d2df288.exe	86
PID 2248 wrote to memory of 1884	2248	cb81b6d0e80118002af4508f2d2df288.exe	87
PID 2248 wrote to memory of 1884	2248	cb81b6d0e80118002af4508f2d2df288.exe	87
PID 2248 wrote to memory of 1884	2248	cb81b6d0e80118002af4508f2d2df288.exe	87
PID 2248 wrote to memory of 1280	2248	cb81b6d0e80118002af4508f2d2df288.exe	91
PID 2248 wrote to memory of 1280	2248	cb81b6d0e80118002af4508f2d2df288.exe	91
PID 2248 wrote to memory of 1280	2248	cb81b6d0e80118002af4508f2d2df288.exe	91
PID 2248 wrote to memory of 2436	2248	cb81b6d0e80118002af4508f2d2df288.exe	92
PID 2248 wrote to memory of 2436	2248	cb81b6d0e80118002af4508f2d2df288.exe	92
PID 2248 wrote to memory of 2436	2248	cb81b6d0e80118002af4508f2d2df288.exe	92
PID 2248 wrote to memory of 1776	2248	cb81b6d0e80118002af4508f2d2df288.exe	99
PID 2248 wrote to memory of 1776	2248	cb81b6d0e80118002af4508f2d2df288.exe	99
PID 2248 wrote to memory of 1776	2248	cb81b6d0e80118002af4508f2d2df288.exe	99
PID 1776 wrote to memory of 2584	1776	System.exe	100
PID 1776 wrote to memory of 2584	1776	System.exe	100
PID 1776 wrote to memory of 2584	1776	System.exe	100
PID 1776 wrote to memory of 2020	1776	System.exe	101
PID 1776 wrote to memory of 2020	1776	System.exe	101
PID 1776 wrote to memory of 2020	1776	System.exe	101
PID 2584 wrote to memory of 1992	2584	WScript.exe	102
PID 2584 wrote to memory of 1992	2584	WScript.exe	102
PID 2584 wrote to memory of 1992	2584	WScript.exe	102
PID 1992 wrote to memory of 3040	1992	System.exe	103
PID 1992 wrote to memory of 3040	1992	System.exe	103
PID 1992 wrote to memory of 3040	1992	System.exe	103
PID 1992 wrote to memory of 872	1992	System.exe	104
PID 1992 wrote to memory of 872	1992	System.exe	104
PID 1992 wrote to memory of 872	1992	System.exe	104
PID 3040 wrote to memory of 2964	3040	WScript.exe	105
PID 3040 wrote to memory of 2964	3040	WScript.exe	105
PID 3040 wrote to memory of 2964	3040	WScript.exe	105

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cb81b6d0e80118002af4508f2d2df288.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cb81b6d0e80118002af4508f2d2df288.exe
"C:\Users\Admin\AppData\Local\Temp\cb81b6d0e80118002af4508f2d2df288.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\PolicyDefinitions\en-US\System.exe
  "C:\Windows\PolicyDefinitions\en-US\System.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1776
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7de61b86-b9d9-4805-bc36-4ad182698380.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\PolicyDefinitions\en-US\System.exe
      C:\Windows\PolicyDefinitions\en-US\System.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1992
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab195176-8deb-4f81-afa6-333869436f3d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\PolicyDefinitions\en-US\System.exe
        
        C:\Windows\PolicyDefinitions\en-US\System.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2964
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c78dc7ec-11dd-40c3-92e7-e8612477d0c6.vbs"
        5⤵
        
        PID:872
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b903c2b-1697-498a-b433-09f8c14f6329.vbs"
    3⤵
    PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cb81b6d0e80118002af4508f2d2df288c" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Skins\cb81b6d0e80118002af4508f2d2df288.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cb81b6d0e80118002af4508f2d2df288" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\cb81b6d0e80118002af4508f2d2df288.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cb81b6d0e80118002af4508f2d2df288c" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Skins\cb81b6d0e80118002af4508f2d2df288.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ehome\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\ehome\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\DPX\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\DPX\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\lsm.exe

Filesize
5.9MB

MD5
17443245d39561321f2cc32238900d88

SHA1
b2adbbfc48a0752246acc9f13bc0f0602049369b

SHA256
785c05cb3cd21b8cc837103efce115aced76a2c93f3facf9fe7ef9107424c945

SHA512
2693ffaf98e17333ef37d04599518c89cc80fc55f6fd8259ba83cc61485cf88f612452124b6a543617b444ae6e9588c7d73e6aa880c3d9c95c87275f24723762

Download Submit
C:\Program Files\Windows Media Player\Skins\cb81b6d0e80118002af4508f2d2df288.exe

Filesize
5.9MB

MD5
00221057a86e4c53e6ef6342f10af1d5

SHA1
0c77e4e2aa94e193ff97a78e7f515a49a94e9bf1

SHA256
5ccb09e58f421459b9e5e13a188ab1d4a5a12ca112a045ccc23f89f760ad6b2c

SHA512
2ccdb5b14f4fe866829bf542bf0e5a21b438986a76d0c6902e1a3817227a81c4ce46c226985c154729c5c924e95f19a35814d2c39c1021fe57014b5f17d6b34f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7de61b86-b9d9-4805-bc36-4ad182698380.vbs

Filesize
721B

MD5
e45a6da99fde923370298a6583f51d97

SHA1
4ab7ac16fcd45f4a52fe5216afbcff3df0e03c24

SHA256
e84eb62aa43f62804d773de4d6d4d713fedb5ee41107b9b13b3d83fad7dc6c95

SHA512
af34e77f1ec6c44c646a10f249f1b86220843f8849fa7ff0a7603e2650125a6185f2630b0d9608882a5f25c6e088ea32842fab991e3847ff4dc0ee68e07f6d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b903c2b-1697-498a-b433-09f8c14f6329.vbs

Filesize
497B

MD5
246a52efdc4f940952839bdf6f80413a

SHA1
b6c967ac510d909d22f35d5f11f539454d21f16c

SHA256
75112aa74d6940e6c5b827233bb304fdbf1eaaf38f873af7e41532fd695802f8

SHA512
114778953a29d092649ec5286819599b2901cc2933fc7de01de94254b90a72c8e1bbd573635020c32fe557e6eb26d83c59313fdd13f0ffa3954192bbdeaf8a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab195176-8deb-4f81-afa6-333869436f3d.vbs

Filesize
721B

MD5
93ce9be7cabc60cacb79d8695f8f8345

SHA1
1e880378738ad0ae4f9ca02bc9d8d528b369b4dc

SHA256
02ac29d463de94fe3644d81cce2d5520370f29c0761ce5c886382761e3e3f794

SHA512
63b251514f724c980666837939147064129aa29fcc183244ce8a0d6be78e59c26a08bbfb4b28594c03d5f7012ded14fe1fc97511f05d080f38cbbe24f2fc1b29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
79438f0dd81f4a410e980dac8a51185f

SHA1
ad47861505cb9d44e847f29ab8659006a8d3cf4b

SHA256
3950071f0e58eb810fa5d73e284a5875d222c1796cf13cd6f9a65fa105cbe490

SHA512
c88eb5130ab8482b9b6363ae123945490b8fb442b546f91ec0701220a5b137042120e1e90e447fe74500270a889286e7e33db5c261c26dd5cf819323ecc8c325

Download Submit
C:\Windows\PolicyDefinitions\en-US\System.exe

Filesize
5.9MB

MD5
cb81b6d0e80118002af4508f2d2df288

SHA1
d0f10e3d9df31a7528fda382bd759bb27af00920

SHA256
24ab80aa8bf163a7fc00cb6bfa5922269eb438ca6ce02da56016f6579106bfa2

SHA512
028e8bc13cce23c611bf8e1362dc1ceedce8b2d88af4fe8276ae1e631ccb90f3274a23a3e628bd45737a53efe1b08e6851db27823b6eb73b3105012b43083e34

Download Submit
C:\Windows\PolicyDefinitions\en-US\System.exe

Filesize
5.9MB

MD5
8181dec0b035333aae07cabef4b5a587

SHA1
3313c05ada63e9b247634a8c2d8b33d066ac5d46

SHA256
720e9e036cf950fbdec8a8bfdc126a9a7b075eabc82528ae8231702edd79c811

SHA512
c75c1cc7a9b4db7e53d6c11869aa2f3916eb5e033d2d9c9acaf149e9cd9dcb60f5af532b08c01b908d8684304a510c86597e6b3c51aadeb69f1d8fcd4455a3aa

Download Submit
memory/584-289-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/868-291-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1776-324-0x000000001B4A0000-0x000000001B4F6000-memory.dmp

Filesize
344KB

Download
memory/1776-321-0x0000000000E00000-0x00000000016F8000-memory.dmp

Filesize
9.0MB

Download
memory/1992-336-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/1992-337-0x0000000000DB0000-0x0000000000E06000-memory.dmp

Filesize
344KB

Download
memory/2248-14-0x000000001AF90000-0x000000001AF98000-memory.dmp

Filesize
32KB

Download
memory/2248-36-0x000000001BA10000-0x000000001BA1C000-memory.dmp

Filesize
48KB

Download
memory/2248-16-0x000000001B0D0000-0x000000001B0DA000-memory.dmp

Filesize
40KB

Download
memory/2248-17-0x000000001B4E0000-0x000000001B536000-memory.dmp

Filesize
344KB

Download
memory/2248-18-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

Filesize
48KB

Download
memory/2248-19-0x000000001B0F0000-0x000000001B0F8000-memory.dmp

Filesize
32KB

Download
memory/2248-20-0x000000001B100000-0x000000001B10C000-memory.dmp

Filesize
48KB

Download
memory/2248-21-0x000000001B530000-0x000000001B538000-memory.dmp

Filesize
32KB

Download
memory/2248-23-0x000000001B540000-0x000000001B552000-memory.dmp

Filesize
72KB

Download
memory/2248-24-0x000000001B550000-0x000000001B55C000-memory.dmp

Filesize
48KB

Download
memory/2248-25-0x000000001B600000-0x000000001B60C000-memory.dmp

Filesize
48KB

Download
memory/2248-27-0x000000001B620000-0x000000001B62C000-memory.dmp

Filesize
48KB

Download
memory/2248-26-0x000000001B610000-0x000000001B618000-memory.dmp

Filesize
32KB

Download
memory/2248-28-0x000000001B630000-0x000000001B63C000-memory.dmp

Filesize
48KB

Download
memory/2248-29-0x000000001B640000-0x000000001B648000-memory.dmp

Filesize
32KB

Download
memory/2248-30-0x000000001B650000-0x000000001B65C000-memory.dmp

Filesize
48KB

Download
memory/2248-31-0x000000001B660000-0x000000001B66A000-memory.dmp

Filesize
40KB

Download
memory/2248-32-0x000000001B670000-0x000000001B67E000-memory.dmp

Filesize
56KB

Download
memory/2248-33-0x000000001B680000-0x000000001B688000-memory.dmp

Filesize
32KB

Download
memory/2248-34-0x000000001B9F0000-0x000000001B9FE000-memory.dmp

Filesize
56KB

Download
memory/2248-35-0x000000001BA00000-0x000000001BA08000-memory.dmp

Filesize
32KB

Download
memory/2248-15-0x000000001B0C0000-0x000000001B0D0000-memory.dmp

Filesize
64KB

Download
memory/2248-37-0x000000001BA20000-0x000000001BA28000-memory.dmp

Filesize
32KB

Download
memory/2248-38-0x000000001BA30000-0x000000001BA3A000-memory.dmp

Filesize
40KB

Download
memory/2248-39-0x000000001BA40000-0x000000001BA4C000-memory.dmp

Filesize
48KB

Download
memory/2248-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

Filesize
4KB

Download
memory/2248-52-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

Filesize
4KB

Download
memory/2248-13-0x000000001AFA0000-0x000000001AFAC000-memory.dmp

Filesize
48KB

Download
memory/2248-134-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-12-0x000000001B0B0000-0x000000001B0C2000-memory.dmp

Filesize
72KB

Download
memory/2248-10-0x000000001AF70000-0x000000001AF86000-memory.dmp

Filesize
88KB

Download
memory/2248-11-0x0000000002950000-0x0000000002958000-memory.dmp

Filesize
32KB

Download
memory/2248-9-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/2248-8-0x0000000002930000-0x0000000002938000-memory.dmp

Filesize
32KB

Download
memory/2248-6-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/2248-322-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-7-0x0000000002910000-0x000000000292C000-memory.dmp

Filesize
112KB

Download
memory/2248-5-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2248-4-0x0000000000360000-0x000000000036E000-memory.dmp

Filesize
56KB

Download
memory/2248-3-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-2-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000000380000-0x0000000000C78000-memory.dmp

Filesize
9.0MB

Download
memory/2964-349-0x00000000013E0000-0x0000000001CD8000-memory.dmp

Filesize
9.0MB

Download
memory/2964-351-0x0000000000C00000-0x0000000000C12000-memory.dmp

Filesize
72KB

Download