dcrat | 13998cf5ce3fc1b1fb20635ef2c1e476c880d72eec7afb7e8ec74808928700da

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
Size

5.9MB
MD5

a7fd5ae1f0d16e9069ca216d2f21ccf8
SHA1

9c7a2f7d780bb05baa0b592ca1547ba25bbcf4ea
SHA256

0deb67b0ba108bc58c86e696234379a5bdfb1f3de00269944c28113001695e47
SHA512

a317655fd45bd7d86393d02cf3471ba145fa696b73f6a4d1463ed81030a44ea68308f34b8beca3382f678c797e95b8f9be70902d91870e5f98139debb21ac353
SSDEEP

98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4r:xyeU11Rvqmu8TWKnF6N/1wO

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2868	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2868	schtasks.exe	30

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2672	powershell.exe
2920	powershell.exe
1316	powershell.exe
2064	powershell.exe
1748	powershell.exe
2880	powershell.exe
532	powershell.exe
1936	powershell.exe
2308	powershell.exe
2700	powershell.exe
572	powershell.exe
264	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe

Executes dropped EXE 3 IoCs

pid	Process
2016	dwm.exe
2364	dwm.exe
692	dwm.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2016	dwm.exe
2016	dwm.exe
2364	dwm.exe
2364	dwm.exe
692	dwm.exe
692	dwm.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\RCXC06D.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\69ddcba757bf72	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\smss.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXA509.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\RCXB4DE.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\smss.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\smss.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\services.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXA508.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXBDEC.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\RCXC06E.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\smss.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\6ccacd8608530f	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\69ddcba757bf72	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\c5b4cb5e9653cc	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\RCXB4DF.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCXBDEB.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\services.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\69ddcba757bf72	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\RCXB0B6.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\RCXB907.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\RCXB908.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\smss.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Windows\AppPatch\AppPatch64\a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\RCXB0B5.tmp	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Windows\AppPatch\AppPatch64\95b9494d8d459d	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\smss.exe	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe
900	schtasks.exe
2504	schtasks.exe
2004	schtasks.exe
2816	schtasks.exe
2536	schtasks.exe
440	schtasks.exe
2256	schtasks.exe
2920	schtasks.exe
2932	schtasks.exe
2036	schtasks.exe
1808	schtasks.exe
620	schtasks.exe
1544	schtasks.exe
1152	schtasks.exe
816	schtasks.exe
580	schtasks.exe
1084	schtasks.exe
968	schtasks.exe
2188	schtasks.exe
680	schtasks.exe
2700	schtasks.exe
2428	schtasks.exe
1488	schtasks.exe
2992	schtasks.exe
1952	schtasks.exe
1564	schtasks.exe
1048	schtasks.exe
2736	schtasks.exe
2964	schtasks.exe
2032	schtasks.exe
2552	schtasks.exe
2232	schtasks.exe
2264	schtasks.exe
2208	schtasks.exe
2664	schtasks.exe
1296	schtasks.exe
592	schtasks.exe
1524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
1316	powershell.exe
2672	powershell.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
2920	powershell.exe
2308	powershell.exe
2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
1748	powershell.exe
532	powershell.exe
2880	powershell.exe
2064	powershell.exe
572	powershell.exe
1936	powershell.exe
2700	powershell.exe
264	powershell.exe
2016	dwm.exe
2016	dwm.exe
2016	dwm.exe
2016	dwm.exe
2016	dwm.exe
2016	dwm.exe
2016	dwm.exe
2016	dwm.exe
2016	dwm.exe
2016	dwm.exe
2016	dwm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2016	dwm.exe
Token: SeDebugPrivilege	2364	dwm.exe
Token: SeDebugPrivilege	692	dwm.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2920	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	70
PID 2384 wrote to memory of 2920	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	70
PID 2384 wrote to memory of 2920	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	70
PID 2384 wrote to memory of 1316	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	71
PID 2384 wrote to memory of 1316	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	71
PID 2384 wrote to memory of 1316	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	71
PID 2384 wrote to memory of 2308	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	73
PID 2384 wrote to memory of 2308	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	73
PID 2384 wrote to memory of 2308	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	73
PID 2384 wrote to memory of 2672	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	75
PID 2384 wrote to memory of 2672	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	75
PID 2384 wrote to memory of 2672	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	75
PID 2384 wrote to memory of 1936	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	76
PID 2384 wrote to memory of 1936	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	76
PID 2384 wrote to memory of 1936	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	76
PID 2384 wrote to memory of 532	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	77
PID 2384 wrote to memory of 532	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	77
PID 2384 wrote to memory of 532	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	77
PID 2384 wrote to memory of 264	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	78
PID 2384 wrote to memory of 264	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	78
PID 2384 wrote to memory of 264	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	78
PID 2384 wrote to memory of 2880	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	79
PID 2384 wrote to memory of 2880	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	79
PID 2384 wrote to memory of 2880	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	79
PID 2384 wrote to memory of 2700	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	80
PID 2384 wrote to memory of 2700	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	80
PID 2384 wrote to memory of 2700	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	80
PID 2384 wrote to memory of 2064	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	81
PID 2384 wrote to memory of 2064	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	81
PID 2384 wrote to memory of 2064	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	81
PID 2384 wrote to memory of 572	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	82
PID 2384 wrote to memory of 572	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	82
PID 2384 wrote to memory of 572	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	82
PID 2384 wrote to memory of 1748	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	83
PID 2384 wrote to memory of 1748	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	83
PID 2384 wrote to memory of 1748	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	83
PID 2384 wrote to memory of 2016	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	94
PID 2384 wrote to memory of 2016	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	94
PID 2384 wrote to memory of 2016	2384	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe	94
PID 2016 wrote to memory of 2952	2016	dwm.exe	96
PID 2016 wrote to memory of 2952	2016	dwm.exe	96
PID 2016 wrote to memory of 2952	2016	dwm.exe	96
PID 2016 wrote to memory of 1280	2016	dwm.exe	97
PID 2016 wrote to memory of 1280	2016	dwm.exe	97
PID 2016 wrote to memory of 1280	2016	dwm.exe	97
PID 2952 wrote to memory of 2364	2952	WScript.exe	98
PID 2952 wrote to memory of 2364	2952	WScript.exe	98
PID 2952 wrote to memory of 2364	2952	WScript.exe	98
PID 2364 wrote to memory of 1756	2364	dwm.exe	99
PID 2364 wrote to memory of 1756	2364	dwm.exe	99
PID 2364 wrote to memory of 1756	2364	dwm.exe	99
PID 2364 wrote to memory of 2872	2364	dwm.exe	100
PID 2364 wrote to memory of 2872	2364	dwm.exe	100
PID 2364 wrote to memory of 2872	2364	dwm.exe	100
PID 1756 wrote to memory of 692	1756	WScript.exe	101
PID 1756 wrote to memory of 692	1756	WScript.exe	101
PID 1756 wrote to memory of 692	1756	WScript.exe	101
PID 692 wrote to memory of 1228	692	dwm.exe	102
PID 692 wrote to memory of 1228	692	dwm.exe	102
PID 692 wrote to memory of 1228	692	dwm.exe	102
PID 692 wrote to memory of 584	692	dwm.exe	103
PID 692 wrote to memory of 584	692	dwm.exe	103
PID 692 wrote to memory of 584	692	dwm.exe	103

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a7fd5ae1f0d16e9069ca216d2f21ccf8.exe
"C:\Users\Admin\AppData\Local\Temp\a7fd5ae1f0d16e9069ca216d2f21ccf8.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe
  "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2016
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8f3684d-051c-4127-a0d9-775e849464df.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe
      C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2364
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\768adaf4-f06e-4d58-b201-69f0bd9bde13.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c60b45d0-bbde-46a7-acd3-153ea5e06cae.vbs"
        7⤵
        
        PID:1228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b40eb85-da6e-4afd-81b9-13ae855101ce.vbs"
        7⤵
        
        PID:584
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c60b1db-aa64-4191-8a01-ac4e2b76850c.vbs"
        5⤵
        
        PID:2872
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76752217-a372-4fe1-aa1e-bf0af9f891ad.vbs"
    3⤵
    PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a7fd5ae1f0d16e9069ca216d2f21ccf8a" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\a7fd5ae1f0d16e9069ca216d2f21ccf8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a7fd5ae1f0d16e9069ca216d2f21ccf8" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\a7fd5ae1f0d16e9069ca216d2f21ccf8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a7fd5ae1f0d16e9069ca216d2f21ccf8a" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\a7fd5ae1f0d16e9069ca216d2f21ccf8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a7fd5ae1f0d16e9069ca216d2f21ccf8a" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\AppPatch64\a7fd5ae1f0d16e9069ca216d2f21ccf8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a7fd5ae1f0d16e9069ca216d2f21ccf8" /sc ONLOGON /tr "'C:\Windows\AppPatch\AppPatch64\a7fd5ae1f0d16e9069ca216d2f21ccf8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a7fd5ae1f0d16e9069ca216d2f21ccf8a" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\AppPatch64\a7fd5ae1f0d16e9069ca216d2f21ccf8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe

Filesize
5.9MB

MD5
a7fd5ae1f0d16e9069ca216d2f21ccf8

SHA1
9c7a2f7d780bb05baa0b592ca1547ba25bbcf4ea

SHA256
0deb67b0ba108bc58c86e696234379a5bdfb1f3de00269944c28113001695e47

SHA512
a317655fd45bd7d86393d02cf3471ba145fa696b73f6a4d1463ed81030a44ea68308f34b8beca3382f678c797e95b8f9be70902d91870e5f98139debb21ac353

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\winlogon.exe

Filesize
5.9MB

MD5
26647611e9cb7c889de4cc00cf667ad7

SHA1
dc854eb50794bbdadf2945b1f8062ed1cd24de39

SHA256
a394c7caeb6bb385474eb5dd64b74d00ae2d0019341adf6079c2b70ed272f4c9

SHA512
0f137cdd1b94fb76ff52d4f7f5d06032cf09111ff57feb88b00ce528ad3c89ff1b38a0ff8031e44e45ed32c75aea7ba58f2bace5906858b1b7ca1f6b766121cb

Download Submit
C:\ProgramData\RCXBB1B.tmp

Filesize
5.9MB

MD5
422c039646c9366ef526e3da27e0dd64

SHA1
8563a154d6cb1e55e0fb7673af50c977480c598a

SHA256
e9a4d49eaa54617de64df1c47aa13e4aff144ae2c3a5d3d48a9bec842740d585

SHA512
bae8adad52343e7751e505de67a9979db94c5d3c7ac73538dbd534fdca54b96635d79bd8108865c23099fa97b2f948d18a23f6c85b79cb391a18e085feda64c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\76752217-a372-4fe1-aa1e-bf0af9f891ad.vbs

Filesize
508B

MD5
c86c64d369f5dafcb5a530200f1d91f1

SHA1
87e145bf1d8bc789ad7df2290d12411652bdd20e

SHA256
e02c4043dc6d67e80a16aa5026eaff8b8bf4f1d3bc62475d9d6a03ba59d86bfd

SHA512
937edbbe68fa87f134f22338aaab20aae14ec9af2215fdf867dca50a4c962928cfcada3fb357d9c052233232d3ef890c7ab4826a5f48d03054b5c9d77c90da66

Download Submit
C:\Users\Admin\AppData\Local\Temp\768adaf4-f06e-4d58-b201-69f0bd9bde13.vbs

Filesize
732B

MD5
421d8c2e4a3b5de1ea2645a8dcfbe5da

SHA1
7ce84c84945b79aa7b16e1cda5757d6cbd61718c

SHA256
bba8f9401c8b3e93f20fc2bd49f1d1c510de53390a64ccbf7f46cef980599087

SHA512
e3733019fed84b34f939ba99af3d552ac57d5260e235b648480a06bb5a2b2e16836635c348d8e35f105d21e740845aa8ec714843ad2ee9772d97458454d361a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c60b45d0-bbde-46a7-acd3-153ea5e06cae.vbs

Filesize
731B

MD5
bba8c2efb348030aab9f03f9971ea0ca

SHA1
441492004f7eb8843c555c141fd68fbf43310b09

SHA256
3a227507538f0dfcd61d2c7d0558017875c79e18eef5e1113c558a1604a97b6e

SHA512
ddccb9b6ff1daee5425120abc4bc0286faedf3ef5db45b9f175f0e0b124e6a176c48a76fb50394d4557e858c15a3ba0531c1fc9ea262d474c01c5072ea4ad4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8f3684d-051c-4127-a0d9-775e849464df.vbs

Filesize
732B

MD5
316508a0c139917e00e794e605eec4bf

SHA1
db08c675f8afd83d44e3001e98272a9f934c090e

SHA256
11445597cdb15822570b9c2d27f238f9e6587d96bd86e7b7d06e5fe4b8ddc76c

SHA512
95a38bf02dd04bd5c4612a589dac1a8ab1dc36485c85b1b5831724c3d752f3df7051492c5ff2780bbc7632ddf60218acb5e0df8d81527e52b1fd1fd433ad9854

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
af8f6f59ec22261b15db2a1ed2319c9a

SHA1
d657a00d5eac47ce7cbde3193f2c13ed240f3c24

SHA256
cd773486daf329cf42c36b71f4fc52daa3bfb9bc03726b7bcdc96e89fd96ae40

SHA512
25804e0fefa4beb8a8006a75db9894781db1ea33304595efd54829c1e0349ad2ffa61ad8db6ccf2528cc2138325dd4a567890ea1231524dc216f70d1490fc660

Download Submit
memory/1316-236-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/1316-230-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2016-258-0x0000000001080000-0x0000000001978000-memory.dmp

Filesize
9.0MB

Download
memory/2364-305-0x0000000001200000-0x0000000001AF8000-memory.dmp

Filesize
9.0MB

Download
memory/2384-13-0x0000000002960000-0x000000000296C000-memory.dmp

Filesize
48KB

Download
memory/2384-34-0x000000001BBC0000-0x000000001BBCE000-memory.dmp

Filesize
56KB

Download
memory/2384-15-0x0000000002970000-0x0000000002980000-memory.dmp

Filesize
64KB

Download
memory/2384-14-0x0000000002940000-0x0000000002948000-memory.dmp

Filesize
32KB

Download
memory/2384-16-0x0000000002C60000-0x0000000002C6A000-memory.dmp

Filesize
40KB

Download
memory/2384-17-0x000000001B290000-0x000000001B2E6000-memory.dmp

Filesize
344KB

Download
memory/2384-18-0x0000000002C70000-0x0000000002C7C000-memory.dmp

Filesize
48KB

Download
memory/2384-19-0x0000000002CC0000-0x0000000002CC8000-memory.dmp

Filesize
32KB

Download
memory/2384-20-0x0000000002CD0000-0x0000000002CDC000-memory.dmp

Filesize
48KB

Download
memory/2384-21-0x0000000002CE0000-0x0000000002CE8000-memory.dmp

Filesize
32KB

Download
memory/2384-23-0x000000001B170000-0x000000001B182000-memory.dmp

Filesize
72KB

Download
memory/2384-24-0x000000001B180000-0x000000001B18C000-memory.dmp

Filesize
48KB

Download
memory/2384-25-0x000000001B300000-0x000000001B30C000-memory.dmp

Filesize
48KB

Download
memory/2384-26-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/2384-27-0x000000001BAD0000-0x000000001BADC000-memory.dmp

Filesize
48KB

Download
memory/2384-28-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

Filesize
48KB

Download
memory/2384-31-0x000000001BB90000-0x000000001BB9A000-memory.dmp

Filesize
40KB

Download
memory/2384-30-0x000000001BAF0000-0x000000001BAFC000-memory.dmp

Filesize
48KB

Download
memory/2384-32-0x000000001BBA0000-0x000000001BBAE000-memory.dmp

Filesize
56KB

Download
memory/2384-29-0x000000001BB00000-0x000000001BB08000-memory.dmp

Filesize
32KB

Download
memory/2384-33-0x000000001BBB0000-0x000000001BBB8000-memory.dmp

Filesize
32KB

Download
memory/2384-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2384-35-0x000000001BBD0000-0x000000001BBD8000-memory.dmp

Filesize
32KB

Download
memory/2384-36-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/2384-37-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/2384-38-0x000000001BC80000-0x000000001BC8A000-memory.dmp

Filesize
40KB

Download
memory/2384-39-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/2384-12-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2384-11-0x0000000000F00000-0x0000000000F08000-memory.dmp

Filesize
32KB

Download
memory/2384-10-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

Filesize
88KB

Download
memory/2384-200-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2384-9-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/2384-8-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2384-237-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-7-0x0000000000CA0000-0x0000000000CBC000-memory.dmp

Filesize
112KB

Download
memory/2384-6-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/2384-293-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-5-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/2384-4-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/2384-3-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2384-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x00000000002E0000-0x0000000000BD8000-memory.dmp

Filesize
9.0MB

Download