dcrat | 894a461e0d709023ba6ec45f748b38a79ae12cf398702244ef2ffa93dd644133

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab89f9e5fc235d4e0bf6b72be96e777b.exe
Size

5.9MB
MD5

ab89f9e5fc235d4e0bf6b72be96e777b
SHA1

c714d6e77c07fa5c3f5ba33f5696e1c537db4a24
SHA256

a51a0a522e7881f8eafb519d98f0560f0aa4ec99cea8d9766d018de6fa6085ca
SHA512

7f1b46016e1af5bdb80ec16f5936c076fcb17785f5e03df23c11f203b533419f4919d3aa41f160c586a674b6e71c86b1e3552c1c46e667be002634622326dc94
SSDEEP

98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4S:RyeU11Rvqmu8TWKnF6N/1wz

Score

10^/10

dcrat defense_evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2792	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2792	schtasks.exe	28

UAC bypass 3 TTPs 12 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab89f9e5fc235d4e0bf6b72be96e777b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab89f9e5fc235d4e0bf6b72be96e777b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab89f9e5fc235d4e0bf6b72be96e777b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1932	powershell.exe
2360	powershell.exe
1928	powershell.exe
2720	powershell.exe
1300	powershell.exe
1984	powershell.exe
696	powershell.exe
2840	powershell.exe
988	powershell.exe
3028	powershell.exe
1968	powershell.exe
1652	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ab89f9e5fc235d4e0bf6b72be96e777b.exe

Executes dropped EXE 3 IoCs

pid	Process
2376	csrss.exe
328	csrss.exe
2236	csrss.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab89f9e5fc235d4e0bf6b72be96e777b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab89f9e5fc235d4e0bf6b72be96e777b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2376	csrss.exe
2376	csrss.exe
328	csrss.exe
328	csrss.exe
2236	csrss.exe
2236	csrss.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\dwm.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX82EE.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\ab89f9e5fc235d4e0bf6b72be96e777b.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\ab89f9e5fc235d4e0bf6b72be96e777b.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX70F5.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\System.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX6E63.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX698E.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\73afccf5da008a	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\c5b4cb5e9653cc	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX6EF0.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX70F4.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\RCX7A2F.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\RCX7A30.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX82EF.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\System.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files\Reference Assemblies\lsm.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RCX80DA.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RCX80DB.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\services.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files\Reference Assemblies\lsm.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files\Reference Assemblies\101b941d020240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\6cb0b6c459d5d3	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files\Windows Journal\fr-FR\smss.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\27d1bcfc3c54e0	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX69CE.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\smss.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\dwm.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files\Windows Journal\fr-FR\69ddcba757bf72	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\services.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\services.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File created	C:\Windows\AppCompat\c5b4cb5e9653cc	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Windows\AppCompat\RCX7EC5.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Windows\AppCompat\RCX7EC6.tmp	ab89f9e5fc235d4e0bf6b72be96e777b.exe
File opened for modification	C:\Windows\AppCompat\services.exe	ab89f9e5fc235d4e0bf6b72be96e777b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
984	schtasks.exe
1544	schtasks.exe
1712	schtasks.exe
1304	schtasks.exe
2136	schtasks.exe
2148	schtasks.exe
2588	schtasks.exe
1248	schtasks.exe
2564	schtasks.exe
3000	schtasks.exe
696	schtasks.exe
520	schtasks.exe
2880	schtasks.exe
1972	schtasks.exe
2756	schtasks.exe
2264	schtasks.exe
2176	schtasks.exe
2736	schtasks.exe
2968	schtasks.exe
2412	schtasks.exe
1728	schtasks.exe
2832	schtasks.exe
1936	schtasks.exe
2324	schtasks.exe
1512	schtasks.exe
1748	schtasks.exe
1976	schtasks.exe
1048	schtasks.exe
2092	schtasks.exe
1704	schtasks.exe
2996	schtasks.exe
352	schtasks.exe
1324	schtasks.exe
608	schtasks.exe
1996	schtasks.exe
2184	schtasks.exe
1684	schtasks.exe
1664	schtasks.exe
2132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
3028	powershell.exe
1984	powershell.exe
1968	powershell.exe
696	powershell.exe
988	powershell.exe
2360	powershell.exe
1300	powershell.exe
2840	powershell.exe
1932	powershell.exe
1928	powershell.exe
1652	powershell.exe
2720	powershell.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe
2376	csrss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2376	csrss.exe
Token: SeDebugPrivilege	328	csrss.exe
Token: SeDebugPrivilege	2236	csrss.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 696	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	68
PID 2240 wrote to memory of 696	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	68
PID 2240 wrote to memory of 696	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	68
PID 2240 wrote to memory of 1984	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	69
PID 2240 wrote to memory of 1984	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	69
PID 2240 wrote to memory of 1984	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	69
PID 2240 wrote to memory of 1968	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	70
PID 2240 wrote to memory of 1968	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	70
PID 2240 wrote to memory of 1968	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	70
PID 2240 wrote to memory of 3028	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	72
PID 2240 wrote to memory of 3028	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	72
PID 2240 wrote to memory of 3028	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	72
PID 2240 wrote to memory of 1300	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	73
PID 2240 wrote to memory of 1300	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	73
PID 2240 wrote to memory of 1300	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	73
PID 2240 wrote to memory of 2720	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	75
PID 2240 wrote to memory of 2720	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	75
PID 2240 wrote to memory of 2720	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	75
PID 2240 wrote to memory of 988	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	77
PID 2240 wrote to memory of 988	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	77
PID 2240 wrote to memory of 988	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	77
PID 2240 wrote to memory of 1928	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	79
PID 2240 wrote to memory of 1928	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	79
PID 2240 wrote to memory of 1928	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	79
PID 2240 wrote to memory of 2360	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	80
PID 2240 wrote to memory of 2360	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	80
PID 2240 wrote to memory of 2360	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	80
PID 2240 wrote to memory of 1932	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	81
PID 2240 wrote to memory of 1932	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	81
PID 2240 wrote to memory of 1932	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	81
PID 2240 wrote to memory of 2840	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	82
PID 2240 wrote to memory of 2840	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	82
PID 2240 wrote to memory of 2840	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	82
PID 2240 wrote to memory of 1652	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	83
PID 2240 wrote to memory of 1652	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	83
PID 2240 wrote to memory of 1652	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	83
PID 2240 wrote to memory of 2376	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	86
PID 2240 wrote to memory of 2376	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	86
PID 2240 wrote to memory of 2376	2240	ab89f9e5fc235d4e0bf6b72be96e777b.exe	86
PID 2376 wrote to memory of 2868	2376	csrss.exe	93
PID 2376 wrote to memory of 2868	2376	csrss.exe	93
PID 2376 wrote to memory of 2868	2376	csrss.exe	93
PID 2376 wrote to memory of 472	2376	csrss.exe	94
PID 2376 wrote to memory of 472	2376	csrss.exe	94
PID 2376 wrote to memory of 472	2376	csrss.exe	94
PID 2868 wrote to memory of 328	2868	WScript.exe	97
PID 2868 wrote to memory of 328	2868	WScript.exe	97
PID 2868 wrote to memory of 328	2868	WScript.exe	97
PID 328 wrote to memory of 2632	328	csrss.exe	98
PID 328 wrote to memory of 2632	328	csrss.exe	98
PID 328 wrote to memory of 2632	328	csrss.exe	98
PID 328 wrote to memory of 2060	328	csrss.exe	99
PID 328 wrote to memory of 2060	328	csrss.exe	99
PID 328 wrote to memory of 2060	328	csrss.exe	99
PID 2632 wrote to memory of 2236	2632	WScript.exe	100
PID 2632 wrote to memory of 2236	2632	WScript.exe	100
PID 2632 wrote to memory of 2236	2632	WScript.exe	100
PID 2236 wrote to memory of 1688	2236	csrss.exe	101
PID 2236 wrote to memory of 1688	2236	csrss.exe	101
PID 2236 wrote to memory of 1688	2236	csrss.exe	101
PID 2236 wrote to memory of 1812	2236	csrss.exe	102
PID 2236 wrote to memory of 1812	2236	csrss.exe	102
PID 2236 wrote to memory of 1812	2236	csrss.exe	102

System policy modification 1 TTPs 12 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab89f9e5fc235d4e0bf6b72be96e777b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab89f9e5fc235d4e0bf6b72be96e777b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab89f9e5fc235d4e0bf6b72be96e777b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ab89f9e5fc235d4e0bf6b72be96e777b.exe
"C:\Users\Admin\AppData\Local\Temp\ab89f9e5fc235d4e0bf6b72be96e777b.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2376
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4865a82-6cff-4d24-87c3-d093a1146de1.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
      "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:328
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97cb385f-c18e-424c-a0fd-aa88cd7ffe00.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c06087d-709e-47e9-9e01-a63de10aac0a.vbs"
        7⤵
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f68a6834-c184-457d-9e32-179b4a9223f8.vbs"
        7⤵
        
        PID:1812
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62ae5a8b-eb0d-4422-8b45-9766fe426727.vbs"
        5⤵
        
        PID:2060
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fff9d8d3-4ac1-452f-b56c-91c79eac91bc.vbs"
    3⤵
    PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ab89f9e5fc235d4e0bf6b72be96e777ba" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\ab89f9e5fc235d4e0bf6b72be96e777b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ab89f9e5fc235d4e0bf6b72be96e777b" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\ab89f9e5fc235d4e0bf6b72be96e777b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ab89f9e5fc235d4e0bf6b72be96e777ba" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\ab89f9e5fc235d4e0bf6b72be96e777b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppCompat\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ab89f9e5fc235d4e0bf6b72be96e777ba" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\ab89f9e5fc235d4e0bf6b72be96e777b.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ab89f9e5fc235d4e0bf6b72be96e777b" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\ab89f9e5fc235d4e0bf6b72be96e777b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ab89f9e5fc235d4e0bf6b72be96e777ba" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\ab89f9e5fc235d4e0bf6b72be96e777b.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe

Filesize
5.9MB

MD5
ce82423743be12dd9301399d46f1de89

SHA1
b643a5385cd16fe45912e0406ec70d91094e265b

SHA256
a3822cb77f4efd82f7a7202174c5d2741749f6b63fa9a69647374c5de29f79b5

SHA512
893af587617578456874d371b5a33927a0c2706f25c77fbd67a8478ee404a30ccc8fffc8d810d3464cea68c85da2e4e13e145818799a6dc04ddbce8fa5341668

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe

Filesize
5.9MB

MD5
ab89f9e5fc235d4e0bf6b72be96e777b

SHA1
c714d6e77c07fa5c3f5ba33f5696e1c537db4a24

SHA256
a51a0a522e7881f8eafb519d98f0560f0aa4ec99cea8d9766d018de6fa6085ca

SHA512
7f1b46016e1af5bdb80ec16f5936c076fcb17785f5e03df23c11f203b533419f4919d3aa41f160c586a674b6e71c86b1e3552c1c46e667be002634622326dc94

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dllhost.exe

Filesize
5.9MB

MD5
9eef777b83ab41edb052dc4ec38bf38f

SHA1
fcce12b32a1876646498abe62a0d5d0207d19709

SHA256
8dc6c61b13fd24d956e61c75ea5499d4c41bafa5c690193ab0c957689769364c

SHA512
5e905fb490535174c2b997c76b74676ee5463467781ec8c73de9b4cb9e0fd808aa62d2707d1c79baa447b5742391db882c2a15cd5d477db44e5e56baaec1a999

Download Submit
C:\Program Files\Reference Assemblies\lsm.exe

Filesize
5.9MB

MD5
929eca46b20335aa3f944fdeb2513b7e

SHA1
43131c48c25d17a0c859273072502ccc30ac22fc

SHA256
1428f381dd2549cac915939f242244b591f73512820c8a4e72bcbcbb2bcceede

SHA512
3a6ab1880308e1b8590fc0fce12696f8ff3cf6917934def2ceaadd863bec77bff6ae920277a80e4108ccf551b837a6baf7ccbc44f12d0efc44aa852fdbbfde5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\97cb385f-c18e-424c-a0fd-aa88cd7ffe00.vbs

Filesize
756B

MD5
d40b739d3edbd04ea10a8a8673e29552

SHA1
5b062b93bd8bfeeda53e629bdb349af259a48fed

SHA256
2fc296d2f77460c73c4be1a048a63556eff2b4e60cab229548b070744a908968

SHA512
04cc1657ee7dcae083b642e1a20fbecb1415d8d7243dee8de36b9921b9c706183d2c4d4ffd6bae395f2a30879165dfc742def398ea92b69b63d239bae1424d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c06087d-709e-47e9-9e01-a63de10aac0a.vbs

Filesize
757B

MD5
0f4ec1d4feaf2b761de1b1842cb3a5ab

SHA1
9b4fced2e1dbaa6d9946a37a99751b58a4e008d7

SHA256
2f92e1d93aed782a3fb457bd4bf70f1c6b525983499c7149ef5f13ce284ee0d6

SHA512
37053ed79d6a66d65132d139cfe5b89c0dc4598406375bd62966284c78ecf1f03f96b63478df3fb11bff788a8d45eae762e088036addfc6835a6809ebfcc3829

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4865a82-6cff-4d24-87c3-d093a1146de1.vbs

Filesize
757B

MD5
1242e6570d5854e0fbd41976677d9499

SHA1
991302824dbee669bcf8be9705288c1458e7cb20

SHA256
b365a680bce71c5172be97dc4f00f105151b91ee80b5498b59cd3910ff23b332

SHA512
d2b63cd8a332fe505715248c5a40a9c631f87e2ce8f257fc9576f64b5fc8d91dfcce02954685cca59ab6979e584a554fb39c9d6b30b5c48cc7146d2d4e1a7ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fff9d8d3-4ac1-452f-b56c-91c79eac91bc.vbs

Filesize
533B

MD5
f4fc4072e5124ff1e985be1ea5e9296b

SHA1
985378cec7f593da8bc9375419d795711ac75870

SHA256
c91f16f51297ef828e91e98eba7b9a1201c96358e1dee12a09e0e90f1389bfac

SHA512
5e2bdcb25e64fffe4fcf8ad950668c65eb5d68b4329dcbab36df107fba34acbf1b4fbeaceba3288b903b621be500af8fc594c7f0672b14b475b50758b7e2304d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
50d455f45ade1e734eed376ba65e17f4

SHA1
76406fac9f82936c01139bdcacf2fcad0db4ed7c

SHA256
15dfc59fff2cad7de5219daaed77a4d074f031373bb4a88a6140bc7b73b3f79b

SHA512
c946edcc1348236c44dcb66e7c66366f3f0494a66e97367704381b6747d8485bb58f3f9a6bc34a10f6c588d3f5aaaee36dec01b203d580c634dae07c16d0dacb

Download Submit
memory/328-308-0x0000000000BB0000-0x00000000014A8000-memory.dmp

Filesize
9.0MB

Download
memory/2236-321-0x00000000013C0000-0x0000000001CB8000-memory.dmp

Filesize
9.0MB

Download
memory/2240-14-0x000000001B510000-0x000000001B518000-memory.dmp

Filesize
32KB

Download
memory/2240-36-0x000000001BC60000-0x000000001BC6C000-memory.dmp

Filesize
48KB

Download
memory/2240-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/2240-15-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/2240-16-0x000000001B530000-0x000000001B53A000-memory.dmp

Filesize
40KB

Download
memory/2240-17-0x000000001B650000-0x000000001B6A6000-memory.dmp

Filesize
344KB

Download
memory/2240-18-0x000000001B540000-0x000000001B54C000-memory.dmp

Filesize
48KB

Download
memory/2240-19-0x000000001B6A0000-0x000000001B6A8000-memory.dmp

Filesize
32KB

Download
memory/2240-20-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/2240-21-0x000000001BA20000-0x000000001BA28000-memory.dmp

Filesize
32KB

Download
memory/2240-23-0x000000001BA30000-0x000000001BA42000-memory.dmp

Filesize
72KB

Download
memory/2240-24-0x000000001BA40000-0x000000001BA4C000-memory.dmp

Filesize
48KB

Download
memory/2240-25-0x000000001BAB0000-0x000000001BABC000-memory.dmp

Filesize
48KB

Download
memory/2240-26-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/2240-27-0x000000001BAD0000-0x000000001BADC000-memory.dmp

Filesize
48KB

Download
memory/2240-28-0x000000001BBE0000-0x000000001BBEC000-memory.dmp

Filesize
48KB

Download
memory/2240-29-0x000000001BC20000-0x000000001BC28000-memory.dmp

Filesize
32KB

Download
memory/2240-30-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/2240-31-0x000000001BC00000-0x000000001BC0A000-memory.dmp

Filesize
40KB

Download
memory/2240-32-0x000000001BC10000-0x000000001BC1E000-memory.dmp

Filesize
56KB

Download
memory/2240-33-0x000000001BC30000-0x000000001BC38000-memory.dmp

Filesize
32KB

Download
memory/2240-34-0x000000001BC40000-0x000000001BC4E000-memory.dmp

Filesize
56KB

Download
memory/2240-35-0x000000001BC50000-0x000000001BC58000-memory.dmp

Filesize
32KB

Download
memory/2240-13-0x000000001AF80000-0x000000001AF8C000-memory.dmp

Filesize
48KB

Download
memory/2240-37-0x000000001BC70000-0x000000001BC78000-memory.dmp

Filesize
32KB

Download
memory/2240-38-0x000000001BC80000-0x000000001BC8A000-memory.dmp

Filesize
40KB

Download
memory/2240-39-0x000000001BC90000-0x000000001BC9C000-memory.dmp

Filesize
48KB

Download
memory/2240-12-0x000000001B3F0000-0x000000001B402000-memory.dmp

Filesize
72KB

Download
memory/2240-11-0x000000001AEF0000-0x000000001AEF8000-memory.dmp

Filesize
32KB

Download
memory/2240-10-0x000000001B3D0000-0x000000001B3E6000-memory.dmp

Filesize
88KB

Download
memory/2240-9-0x000000001AEE0000-0x000000001AEF0000-memory.dmp

Filesize
64KB

Download
memory/2240-186-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x00000000002B0000-0x0000000000BA8000-memory.dmp

Filesize
9.0MB

Download
memory/2240-2-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2240-8-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2240-3-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-252-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-7-0x0000000002830000-0x000000000284C000-memory.dmp

Filesize
112KB

Download
memory/2240-223-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-4-0x0000000000DE0000-0x0000000000DEE000-memory.dmp

Filesize
56KB

Download
memory/2240-6-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2240-5-0x0000000000DF0000-0x0000000000DFE000-memory.dmp

Filesize
56KB

Download
memory/2376-297-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/2376-251-0x00000000009C0000-0x00000000012B8000-memory.dmp

Filesize
9.0MB

Download
memory/3028-239-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/3028-245-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download