dcrat | aff3e08b50336ce6a1cfe39c45d32d918dc6f190662aef666addb193f44d47a8

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

770f4b8c61c658b7b4e9c1bb7d087196.exe
Size

5.9MB
MD5

770f4b8c61c658b7b4e9c1bb7d087196
SHA1

61e9578c90253544c2952ee7788b7516e820f0d3
SHA256

973e19cd948b9d0136c82da54c5b9d27e3f45bf5b77d24a15bc1481537ac0073
SHA512

54b49d42a270f9ff85f25276822cf5dc78a0413e167a3817890eb4cdea0521aff6c33ac0e64ecc9f3777117f26832da33a3d2d817dd81c56a996f6bcfe97a1b4
SSDEEP

98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4S:hyeU11Rvqmu8TWKnF6N/1w7

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2696	schtasks.exe	30

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1740	powershell.exe
2792	powershell.exe
2220	powershell.exe
1528	powershell.exe
2648	powershell.exe
2340	powershell.exe
2348	powershell.exe
864	powershell.exe
1456	powershell.exe
2072	powershell.exe
2872	powershell.exe
2520	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	770f4b8c61c658b7b4e9c1bb7d087196.exe

Executes dropped EXE 3 IoCs

pid	Process
2236	770f4b8c61c658b7b4e9c1bb7d087196.exe
2844	770f4b8c61c658b7b4e9c1bb7d087196.exe
1424	770f4b8c61c658b7b4e9c1bb7d087196.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	770f4b8c61c658b7b4e9c1bb7d087196.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2236	770f4b8c61c658b7b4e9c1bb7d087196.exe
2236	770f4b8c61c658b7b4e9c1bb7d087196.exe
2844	770f4b8c61c658b7b4e9c1bb7d087196.exe
2844	770f4b8c61c658b7b4e9c1bb7d087196.exe
1424	770f4b8c61c658b7b4e9c1bb7d087196.exe
1424	770f4b8c61c658b7b4e9c1bb7d087196.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCXE648.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXEB4B.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsm.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files\Windows Portable Devices\101b941d020240	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\lsm.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXED60.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\101b941d020240	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\69ddcba757bf72	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\RCXDF9F.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCXE1B2.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files\Windows NT\winlogon.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXEFF1.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Windows NT\RCXDB76.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\de-DE\RCXDF9E.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXEB4C.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXEFF2.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\cc11b995f2a76d	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Windows NT\RCXDB75.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Windows NT\winlogon.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\RCXE649.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\770f4b8c61c658b7b4e9c1bb7d087196.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files\Windows Portable Devices\lsm.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\56085415360792	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCXED61.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files\Windows NT\cc11b995f2a76d	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\lsm.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\Windows Portable Devices\770f4b8c61c658b7b4e9c1bb7d087196.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Program Files (x86)\Windows Portable Devices\856c3260a49afe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCXE1B3.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ja-JP\RCXE8CA.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Windows\ja-JP\RCXE8CB.tmp	770f4b8c61c658b7b4e9c1bb7d087196.exe
File opened for modification	C:\Windows\ja-JP\lsass.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Windows\ja-JP\lsass.exe	770f4b8c61c658b7b4e9c1bb7d087196.exe
File created	C:\Windows\ja-JP\6203df4a6bafc7	770f4b8c61c658b7b4e9c1bb7d087196.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2360	schtasks.exe
1496	schtasks.exe
928	schtasks.exe
1464	schtasks.exe
1424	schtasks.exe
2248	schtasks.exe
2188	schtasks.exe
2216	schtasks.exe
972	schtasks.exe
1724	schtasks.exe
1068	schtasks.exe
2256	schtasks.exe
1172	schtasks.exe
2680	schtasks.exe
1500	schtasks.exe
2244	schtasks.exe
1912	schtasks.exe
1676	schtasks.exe
2424	schtasks.exe
1492	schtasks.exe
2440	schtasks.exe
2372	schtasks.exe
1744	schtasks.exe
1632	schtasks.exe
448	schtasks.exe
2772	schtasks.exe
1968	schtasks.exe
2872	schtasks.exe
1616	schtasks.exe
1956	schtasks.exe
2176	schtasks.exe
1644	schtasks.exe
3028	schtasks.exe
2900	schtasks.exe
1600	schtasks.exe
676	schtasks.exe
1460	schtasks.exe
2404	schtasks.exe
560	schtasks.exe
3048	schtasks.exe
2148	schtasks.exe
2452	schtasks.exe
904	schtasks.exe
760	schtasks.exe
264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
2072	powershell.exe
1456	powershell.exe
2348	powershell.exe
1528	powershell.exe
2648	powershell.exe
2792	powershell.exe
2220	powershell.exe
2340	powershell.exe
2872	powershell.exe
1740	powershell.exe
2520	powershell.exe
864	powershell.exe
2236	770f4b8c61c658b7b4e9c1bb7d087196.exe
2236	770f4b8c61c658b7b4e9c1bb7d087196.exe
2236	770f4b8c61c658b7b4e9c1bb7d087196.exe
2236	770f4b8c61c658b7b4e9c1bb7d087196.exe
2236	770f4b8c61c658b7b4e9c1bb7d087196.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	2236	770f4b8c61c658b7b4e9c1bb7d087196.exe
Token: SeDebugPrivilege	2844	770f4b8c61c658b7b4e9c1bb7d087196.exe
Token: SeDebugPrivilege	1424	770f4b8c61c658b7b4e9c1bb7d087196.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 1528	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	76
PID 2780 wrote to memory of 1528	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	76
PID 2780 wrote to memory of 1528	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	76
PID 2780 wrote to memory of 1456	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	77
PID 2780 wrote to memory of 1456	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	77
PID 2780 wrote to memory of 1456	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	77
PID 2780 wrote to memory of 2648	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	78
PID 2780 wrote to memory of 2648	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	78
PID 2780 wrote to memory of 2648	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	78
PID 2780 wrote to memory of 2072	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	79
PID 2780 wrote to memory of 2072	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	79
PID 2780 wrote to memory of 2072	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	79
PID 2780 wrote to memory of 2340	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	80
PID 2780 wrote to memory of 2340	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	80
PID 2780 wrote to memory of 2340	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	80
PID 2780 wrote to memory of 2872	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	81
PID 2780 wrote to memory of 2872	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	81
PID 2780 wrote to memory of 2872	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	81
PID 2780 wrote to memory of 2520	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	82
PID 2780 wrote to memory of 2520	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	82
PID 2780 wrote to memory of 2520	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	82
PID 2780 wrote to memory of 2348	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	83
PID 2780 wrote to memory of 2348	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	83
PID 2780 wrote to memory of 2348	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	83
PID 2780 wrote to memory of 1740	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	84
PID 2780 wrote to memory of 1740	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	84
PID 2780 wrote to memory of 1740	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	84
PID 2780 wrote to memory of 2792	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	85
PID 2780 wrote to memory of 2792	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	85
PID 2780 wrote to memory of 2792	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	85
PID 2780 wrote to memory of 864	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	86
PID 2780 wrote to memory of 864	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	86
PID 2780 wrote to memory of 864	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	86
PID 2780 wrote to memory of 2220	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	87
PID 2780 wrote to memory of 2220	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	87
PID 2780 wrote to memory of 2220	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	87
PID 2780 wrote to memory of 2148	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	100
PID 2780 wrote to memory of 2148	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	100
PID 2780 wrote to memory of 2148	2780	770f4b8c61c658b7b4e9c1bb7d087196.exe	100
PID 2148 wrote to memory of 2952	2148	cmd.exe	102
PID 2148 wrote to memory of 2952	2148	cmd.exe	102
PID 2148 wrote to memory of 2952	2148	cmd.exe	102
PID 2148 wrote to memory of 2236	2148	cmd.exe	103
PID 2148 wrote to memory of 2236	2148	cmd.exe	103
PID 2148 wrote to memory of 2236	2148	cmd.exe	103
PID 2236 wrote to memory of 1664	2236	770f4b8c61c658b7b4e9c1bb7d087196.exe	104
PID 2236 wrote to memory of 1664	2236	770f4b8c61c658b7b4e9c1bb7d087196.exe	104
PID 2236 wrote to memory of 1664	2236	770f4b8c61c658b7b4e9c1bb7d087196.exe	104
PID 2236 wrote to memory of 1076	2236	770f4b8c61c658b7b4e9c1bb7d087196.exe	105
PID 2236 wrote to memory of 1076	2236	770f4b8c61c658b7b4e9c1bb7d087196.exe	105
PID 2236 wrote to memory of 1076	2236	770f4b8c61c658b7b4e9c1bb7d087196.exe	105
PID 1664 wrote to memory of 2844	1664	WScript.exe	106
PID 1664 wrote to memory of 2844	1664	WScript.exe	106
PID 1664 wrote to memory of 2844	1664	WScript.exe	106
PID 2844 wrote to memory of 2168	2844	770f4b8c61c658b7b4e9c1bb7d087196.exe	107
PID 2844 wrote to memory of 2168	2844	770f4b8c61c658b7b4e9c1bb7d087196.exe	107
PID 2844 wrote to memory of 2168	2844	770f4b8c61c658b7b4e9c1bb7d087196.exe	107
PID 2844 wrote to memory of 560	2844	770f4b8c61c658b7b4e9c1bb7d087196.exe	108
PID 2844 wrote to memory of 560	2844	770f4b8c61c658b7b4e9c1bb7d087196.exe	108
PID 2844 wrote to memory of 560	2844	770f4b8c61c658b7b4e9c1bb7d087196.exe	108
PID 2168 wrote to memory of 1424	2168	WScript.exe	109
PID 2168 wrote to memory of 1424	2168	WScript.exe	109
PID 2168 wrote to memory of 1424	2168	WScript.exe	109
PID 1424 wrote to memory of 2116	1424	770f4b8c61c658b7b4e9c1bb7d087196.exe	110

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	770f4b8c61c658b7b4e9c1bb7d087196.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\770f4b8c61c658b7b4e9c1bb7d087196.exe
"C:\Users\Admin\AppData\Local\Temp\770f4b8c61c658b7b4e9c1bb7d087196.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a8TbDE3pUR.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2952
- - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\770f4b8c61c658b7b4e9c1bb7d087196.exe
    "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\770f4b8c61c658b7b4e9c1bb7d087196.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2236
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\390930eb-541e-4425-acb8-4684cb44db0b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\770f4b8c61c658b7b4e9c1bb7d087196.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\770f4b8c61c658b7b4e9c1bb7d087196.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2844
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64d8204c-8791-4d9c-bcaa-989332cad27a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\770f4b8c61c658b7b4e9c1bb7d087196.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\770f4b8c61c658b7b4e9c1bb7d087196.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a513751-bb4b-4aa0-8a7d-31259a173e49.vbs"
        8⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5848c3d5-221e-4030-ad13-b7c6bcd4bed9.vbs"
        8⤵
        
        PID:2208
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6daf4008-207b-423f-aea5-0e62f662d2d2.vbs"
        6⤵
        
        PID:560
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fc42cc3-ab8e-4609-9239-5042752509a7.vbs"
      4⤵
      PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\FreeCell\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\FreeCell\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\FreeCell\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "770f4b8c61c658b7b4e9c1bb7d0871967" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\770f4b8c61c658b7b4e9c1bb7d087196.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "770f4b8c61c658b7b4e9c1bb7d087196" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\770f4b8c61c658b7b4e9c1bb7d087196.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "770f4b8c61c658b7b4e9c1bb7d0871967" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\770f4b8c61c658b7b4e9c1bb7d087196.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "770f4b8c61c658b7b4e9c1bb7d0871967" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\770f4b8c61c658b7b4e9c1bb7d087196.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "770f4b8c61c658b7b4e9c1bb7d087196" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\770f4b8c61c658b7b4e9c1bb7d087196.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "770f4b8c61c658b7b4e9c1bb7d0871967" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\770f4b8c61c658b7b4e9c1bb7d087196.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Templates\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\it-IT\smss.exe

Filesize
5.9MB

MD5
770f4b8c61c658b7b4e9c1bb7d087196

SHA1
61e9578c90253544c2952ee7788b7516e820f0d3

SHA256
973e19cd948b9d0136c82da54c5b9d27e3f45bf5b77d24a15bc1481537ac0073

SHA512
54b49d42a270f9ff85f25276822cf5dc78a0413e167a3817890eb4cdea0521aff6c33ac0e64ecc9f3777117f26832da33a3d2d817dd81c56a996f6bcfe97a1b4

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\770f4b8c61c658b7b4e9c1bb7d087196.exe

Filesize
5.9MB

MD5
a905ae0f76916366275176c91d551420

SHA1
f406f7f6308bf924af0abdee87cff73010d8b0e5

SHA256
185b6bdd68a0d76cf373ed057b3f2707a3dbb8316b98fa2c4aa24982371a846a

SHA512
a432d1bcd7cc41db7b142bf08332740f21d4305af5725334026f7c9db878d07ff96d74dc3ca5a289dc9cf6d3c911346d2ac6a64eed76bf85b3e78d6a13eb5c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fc42cc3-ab8e-4609-9239-5042752509a7.vbs

Filesize
537B

MD5
20e1ccb6d660fd84e42373247b8fc894

SHA1
5d5565d0c1f60deede8a671692a31066f4685870

SHA256
f894b453559742c45009d3d1b38a64a9667d7803820c3d301797aec1022c8a93

SHA512
7810525a1f18f77ddae0067fc2b942f14d1dbbfcf35476d9fe107d610e18c3455cfc0f5566ab49aa728895232771f27e3dda4e23c1d46c962fe32f823247f0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\390930eb-541e-4425-acb8-4684cb44db0b.vbs

Filesize
761B

MD5
632a998d912dfc1701ed6c25be4dd284

SHA1
c18a87c38cabb5e4d51e76a93332d77d6691616b

SHA256
95d852363ad5632008741273bc8bb29979b292c623ed8ea70a43f9b723360704

SHA512
cfee44d3f2b5b3a9f45c44b7d9ae713d0077cfc3e1c2fc0322844f7cabad75c0c8c388eb2dcfe43dad55e0fa08f8552d86e0e1d92e7af6400045609f1edcfc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\64d8204c-8791-4d9c-bcaa-989332cad27a.vbs

Filesize
761B

MD5
75c8a3b790fa9ef6f207d1360753d2af

SHA1
66d1a694c4e442477fba5ca2a03e34e902899694

SHA256
ae6e96e8a2c2c0e7c2351801966c50f5de07543367522f5dc86a09813d85e679

SHA512
5cc1d6f0b64b85dc921209260f774b4924f51f5884ff3bcf881b88b36a2b2e803ad810c9e08176a6fbaf65bbbe091e1f096dca7957c023350cb5b42ee06cf80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a513751-bb4b-4aa0-8a7d-31259a173e49.vbs

Filesize
761B

MD5
48f2a25b509badb9298c1f3f177a82b4

SHA1
4388adde741dffb70c1a4262c9410f9f1781c781

SHA256
58e316a35d9e9b9ec62cedb985bda872ef46698ace8050b4024c1e5f888682dd

SHA512
9a674e36789a0c6dc2f3970d95c2a3f79432ae154d962b1a02cdaea2a71847e2747e5c3a292a9b8f429226224ea96d0bc73ef12b0776d6c2b85fa34a9d9f66b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8TbDE3pUR.bat

Filesize
250B

MD5
385bcb4f688f374345660ea7ea090dcf

SHA1
b67529eb6642a5162f88318cf66626246f38eeab

SHA256
71a427fda87dd64c88a0ac55a600e17043fb9bc3a9754df947add0177d3922e4

SHA512
cf5b3114bc46a0e3fce19060342ee6fcaa29ebe04a4a219754c871b85c71ad5707a47cbc999bcc3a080a108b98e62b15660f5a763766108fe495bc603609182d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ef2a4a8d6cdd05d239bf0ce6ce41f2c8

SHA1
8917449de06ba4ed3a946f4f985f17229d05396a

SHA256
c6c4aaea313ac7bf020a59323186fe2f8540639e739ede1bd85eb9fdf3e0a7a0

SHA512
fdd339bd3da921a8105d9c42bd6c5a9e2bd41546b70e5bb50e6a2533d8db6f3e785713dc3232117d66ed661d7ea0361792ddf43c67c692c5876415a8991a950b

Download Submit
memory/1424-348-0x0000000000140000-0x0000000000A38000-memory.dmp

Filesize
9.0MB

Download
memory/1424-350-0x0000000000ED0000-0x0000000000F26000-memory.dmp

Filesize
344KB

Download
memory/1456-269-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2072-270-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2236-322-0x0000000000A70000-0x0000000001368000-memory.dmp

Filesize
9.0MB

Download
memory/2780-14-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/2780-35-0x0000000001210000-0x0000000001218000-memory.dmp

Filesize
32KB

Download
memory/2780-15-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/2780-16-0x0000000000E50000-0x0000000000E5A000-memory.dmp

Filesize
40KB

Download
memory/2780-17-0x0000000000E60000-0x0000000000EB6000-memory.dmp

Filesize
344KB

Download
memory/2780-18-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

Filesize
48KB

Download
memory/2780-19-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/2780-20-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/2780-21-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

Filesize
32KB

Download
memory/2780-23-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

Filesize
72KB

Download
memory/2780-24-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

Filesize
48KB

Download
memory/2780-25-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/2780-26-0x0000000001000000-0x0000000001008000-memory.dmp

Filesize
32KB

Download
memory/2780-27-0x0000000001010000-0x000000000101C000-memory.dmp

Filesize
48KB

Download
memory/2780-28-0x0000000001020000-0x000000000102C000-memory.dmp

Filesize
48KB

Download
memory/2780-29-0x0000000001040000-0x0000000001048000-memory.dmp

Filesize
32KB

Download
memory/2780-30-0x0000000001030000-0x000000000103C000-memory.dmp

Filesize
48KB

Download
memory/2780-31-0x0000000001050000-0x000000000105A000-memory.dmp

Filesize
40KB

Download
memory/2780-32-0x00000000010E0000-0x00000000010EE000-memory.dmp

Filesize
56KB

Download
memory/2780-33-0x00000000011F0000-0x00000000011F8000-memory.dmp

Filesize
32KB

Download
memory/2780-34-0x0000000001200000-0x000000000120E000-memory.dmp

Filesize
56KB

Download
memory/2780-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2780-36-0x0000000001220000-0x000000000122C000-memory.dmp

Filesize
48KB

Download
memory/2780-37-0x0000000001230000-0x0000000001238000-memory.dmp

Filesize
32KB

Download
memory/2780-38-0x0000000001240000-0x000000000124A000-memory.dmp

Filesize
40KB

Download
memory/2780-39-0x0000000001250000-0x000000000125C000-memory.dmp

Filesize
48KB

Download
memory/2780-13-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/2780-192-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2780-228-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-12-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/2780-11-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/2780-10-0x0000000000DF0000-0x0000000000E06000-memory.dmp

Filesize
88KB

Download
memory/2780-273-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-9-0x0000000000C50000-0x0000000000C60000-memory.dmp

Filesize
64KB

Download
memory/2780-8-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/2780-7-0x0000000000C20000-0x0000000000C3C000-memory.dmp

Filesize
112KB

Download
memory/2780-6-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2780-5-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2780-1-0x00000000012B0000-0x0000000001BA8000-memory.dmp

Filesize
9.0MB

Download
memory/2780-2-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2780-4-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/2780-3-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-336-0x000000001B430000-0x000000001B442000-memory.dmp

Filesize
72KB

Download
memory/2844-334-0x0000000001390000-0x0000000001C88000-memory.dmp

Filesize
9.0MB

Download