dcrat | 54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Size

1.3MB
MD5

48c2137034bee9bdfc2c9df1e71e9e04
SHA1

573e8453bc08e2b4e8e65b8560d81b150a9acdd8
SHA256

54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
SHA512

5c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247
SSDEEP

24576:q0bcg1vqd25Gl35KcbOwGqq+AZbPxtDSk5/FX5vDlIXNQdS:qGy/3dSnEYFJvxS

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2328	schtasks.exe

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exedllhost.exedllhost.exedllhost.exe54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exedllhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2428-1-0x00000000009B0000-0x0000000000B06000-memory.dmp	dcrat
C:\Windows\SchCache\lsm.exe	dcrat
behavioral1/memory/2396-103-0x0000000000240000-0x0000000000396000-memory.dmp	dcrat
behavioral1/memory/2244-119-0x0000000001370000-0x00000000014C6000-memory.dmp	dcrat
behavioral1/memory/1228-137-0x0000000000220000-0x0000000000376000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2300	powershell.exe
2228	powershell.exe
1732	powershell.exe
1376	powershell.exe
2060	powershell.exe
2764	powershell.exe
2224	powershell.exe
3064	powershell.exe
2884	powershell.exe
1972	powershell.exe
1716	powershell.exe
2092	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid process

2396 dllhost.exe
2244 dllhost.exe
1856 dllhost.exe
1228 dllhost.exe
2536 dllhost.exe
2788 dllhost.exe
2716 dllhost.exe
1292 dllhost.exe
2460 dllhost.exe

pid	process
2396	dllhost.exe
2244	dllhost.exe
1856	dllhost.exe
1228	dllhost.exe
2536	dllhost.exe
2788	dllhost.exe
2716	dllhost.exe
1292	dllhost.exe
2460	dllhost.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exedllhost.exedllhost.exedllhost.exe54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exedllhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

12 pastebin.com
4 pastebin.com
5 pastebin.com
7 pastebin.com
8 pastebin.com
10 pastebin.com

flow	ioc
12	pastebin.com
4	pastebin.com
5	pastebin.com
7	pastebin.com
8	pastebin.com
10	pastebin.com

Drops file in Program Files directory 9 IoCs

Processes:

54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\hrtfs\5940a34987c991	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
File created	C:\Program Files\Windows NT\dllhost.exe	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
File created	C:\Program Files\Windows NT\5940a34987c991	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
File created	C:\Program Files\Internet Explorer\en-US\conhost.exe	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
File created	C:\Program Files\Internet Explorer\en-US\088424020bedd6	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe

Drops file in Windows directory 2 IoCs

Processes:

54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe

description	ioc	process
File created	C:\Windows\SchCache\lsm.exe	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
File created	C:\Windows\SchCache\101b941d020240	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1500	schtasks.exe
1324	schtasks.exe
2740	schtasks.exe
3000	schtasks.exe
540	schtasks.exe
3052	schtasks.exe
940	schtasks.exe
2892	schtasks.exe
2696	schtasks.exe
2632	schtasks.exe
584	schtasks.exe
896	schtasks.exe
3036	schtasks.exe
1736	schtasks.exe
2348	schtasks.exe
2592	schtasks.exe
2336	schtasks.exe
2880	schtasks.exe
2572	schtasks.exe
840	schtasks.exe
1608	schtasks.exe
2480	schtasks.exe
2716	schtasks.exe
2688	schtasks.exe
2332	schtasks.exe
1040	schtasks.exe
2360	schtasks.exe
832	schtasks.exe
2516	schtasks.exe
1712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	process
2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
2300	powershell.exe
2092	powershell.exe
1376	powershell.exe
2060	powershell.exe
1716	powershell.exe
2764	powershell.exe
1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
2224	powershell.exe
1972	powershell.exe
3064	powershell.exe
1732	powershell.exe
2228	powershell.exe
2884	powershell.exe
2396	dllhost.exe
2244	dllhost.exe
1228	dllhost.exe
2788	dllhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exepowershell.exepowershell.exepowershell.exe54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2396	dllhost.exe
Token: SeDebugPrivilege	2244	dllhost.exe
Token: SeDebugPrivilege	1856	dllhost.exe
Token: SeDebugPrivilege	1228	dllhost.exe
Token: SeDebugPrivilege	2536	dllhost.exe
Token: SeDebugPrivilege	2788	dllhost.exe
Token: SeDebugPrivilege	2716	dllhost.exe
Token: SeDebugPrivilege	1292	dllhost.exe
Token: SeDebugPrivilege	2460	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exedllhost.execmd.exeWScript.exedllhost.exe

description	pid	process	target process
PID 2428 wrote to memory of 1376	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 1376	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 1376	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2300	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2300	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2300	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2764	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2764	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2764	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2092	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2092	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2092	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 1716	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 1716	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 1716	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2060	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2060	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 2060	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 2428 wrote to memory of 1628	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
PID 2428 wrote to memory of 1628	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
PID 2428 wrote to memory of 1628	2428	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
PID 1628 wrote to memory of 1972	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 1972	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 1972	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 2884	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 2884	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 2884	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 3064	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 3064	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 3064	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 1732	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 1732	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 1732	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 2224	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 2224	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 2224	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 2228	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 2228	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 2228	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	powershell.exe
PID 1628 wrote to memory of 2944	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	cmd.exe
PID 1628 wrote to memory of 2944	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	cmd.exe
PID 1628 wrote to memory of 2944	1628	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe	cmd.exe
PID 2396 wrote to memory of 2916	2396	dllhost.exe	WScript.exe
PID 2396 wrote to memory of 2916	2396	dllhost.exe	WScript.exe
PID 2396 wrote to memory of 2916	2396	dllhost.exe	WScript.exe
PID 2396 wrote to memory of 300	2396	dllhost.exe	WScript.exe
PID 2396 wrote to memory of 300	2396	dllhost.exe	WScript.exe
PID 2396 wrote to memory of 300	2396	dllhost.exe	WScript.exe
PID 2396 wrote to memory of 1912	2396	dllhost.exe	cmd.exe
PID 2396 wrote to memory of 1912	2396	dllhost.exe	cmd.exe
PID 2396 wrote to memory of 1912	2396	dllhost.exe	cmd.exe
PID 1912 wrote to memory of 2808	1912	cmd.exe	w32tm.exe
PID 1912 wrote to memory of 2808	1912	cmd.exe	w32tm.exe
PID 1912 wrote to memory of 2808	1912	cmd.exe	w32tm.exe
PID 2916 wrote to memory of 2244	2916	WScript.exe	dllhost.exe
PID 2916 wrote to memory of 2244	2916	WScript.exe	dllhost.exe
PID 2916 wrote to memory of 2244	2916	WScript.exe	dllhost.exe
PID 2244 wrote to memory of 2296	2244	dllhost.exe	WScript.exe
PID 2244 wrote to memory of 2296	2244	dllhost.exe	WScript.exe
PID 2244 wrote to memory of 2296	2244	dllhost.exe	WScript.exe
PID 2244 wrote to memory of 2356	2244	dllhost.exe	WScript.exe
PID 2244 wrote to memory of 2356	2244	dllhost.exe	WScript.exe
PID 2244 wrote to memory of 2356	2244	dllhost.exe	WScript.exe
PID 1912 wrote to memory of 1856	1912	cmd.exe	dllhost.exe

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exe54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
"C:\Users\Admin\AppData\Local\Temp\54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\dllhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\sppsvc.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\lsm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Users\Admin\AppData\Local\Temp\54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe
"C:\Users\Admin\AppData\Local\Temp\54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe"
2⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\powershell.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\audiodg.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\conhost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1AeAAEDQA4.bat"
3⤵
PID:2944

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:2724

C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2396

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\146a9477-43a8-42f9-b704-6786f93408c6.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe"
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2244

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\165f5f83-72cf-449d-81a0-51cce17530b5.vbs"
7⤵
PID:2296

C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe"
8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfc54c41-1b06-41f9-a349-d8399965b3d3.vbs"
9⤵
PID:2320

C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe"
10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2788

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ff82e4a-ef29-4758-8d4a-e637676df2ef.vbs"
11⤵
PID:1732

C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3911f347-2784-4f20-be2a-6edf8eba2646.vbs"
11⤵
PID:2756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
11⤵
PID:776

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:1756

C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d88897f3-aa3b-40b8-8844-caf09a590925.vbs"
9⤵
PID:1500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
9⤵
PID:1852

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:1284

C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e76f89df-42fa-4844-978d-dd0dae968beb.vbs"
7⤵
PID:2356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
7⤵
PID:2936

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1512

C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fd178c8-2000-4c90-8a12-bb57a3536e28.vbs"
5⤵
PID:300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2808

C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\SchCache\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\146a9477-43a8-42f9-b704-6786f93408c6.vbs
Filesize
723B

MD5
a79a004cf7b0f591c70013d273bc3927

SHA1
b35ae8476b2b71ad5d4699a6affa0a233c5b8134

SHA256
55dad6482979826f93fd4352f480aa18de3db8f760f85738411e644989b3dc83

SHA512
add64bfdcb0833a2200ccd8e1fdb1847aff28ce499f097a20eb19b2471fced9292691aa695e4ff308746fb7d5cd3cc38ead870fadf29fe92af6c177d76cb6087

Download Submit
C:\Users\Admin\AppData\Local\Temp\165f5f83-72cf-449d-81a0-51cce17530b5.vbs
Filesize
723B

MD5
e75a38319851fd6a12b95994559f0e6a

SHA1
5f4e50d9eff9e521066d58fc0e9b61cf14a46cb9

SHA256
9ee349109ab6b1720c4c8fe4b38c3cda63d89e181cfa8e01ac69865be725aa03

SHA512
a99681e29935632252d35f08789bf32493d4800b6c25a11758eac1351ffb61a7a9542bdb968c22fd3e7c851b76a4fccc919a33c6a68579b5f64193621d45717f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat
Filesize
212B

MD5
a369c96226528e0d320ba1ee1ccf3bc8

SHA1
181957248d67697e08e4504efd06d962566a4792

SHA256
bb9c62f8606885e89fa0d45ebbe8ee86483bbced7c22ae67c93f93e8687d6662

SHA512
ed32a793aad734f3cc14fdbf5e774fe5ae2593c96f955fb247790da7b672cbfa161cc0efe805a84b1e01f107819453d95e3ea57af4505993869b2010a68c9cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fd178c8-2000-4c90-8a12-bb57a3536e28.vbs
Filesize
499B

MD5
1cdc18a6c0f8212984b993df2c037450

SHA1
f32342ef106801c097c46ce9c658ae3576927b40

SHA256
5cd97aa90b42ef49bfae56f6ac0416489ec811af9194fbc38282224afe6efb2e

SHA512
1e689065b4a57d7c43e9cc73cb6c1f3678437f42a4a67b5f6989ce2e428f4f5b472e051324ec951548ec1e7112dc00ea6d690e8468ea9f8f0417953bc429ea15

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ff82e4a-ef29-4758-8d4a-e637676df2ef.vbs
Filesize
723B

MD5
e6556c5960c3f9eb2a018c5742a4e449

SHA1
0c58ebed574fb17d9cb9a24fd8e18f9cd4a8fd70

SHA256
65adc4b8bfc64895eb1a8abaecff3036edaac226e464ab1c15fd647ee44987a9

SHA512
6061e0d0ccf2c1099b089c0276e10fff58162c35229417a546f99191f0d397abea8a431a67e308bcbfd173fb3b837d8e42cb4a175774b4241b0776c891a56133

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat
Filesize
212B

MD5
4dca0d0d2f7d3d02c57fae6b8b63f0fa

SHA1
c461de67845b7926ce22a833be5302ab21054c40

SHA256
6dde5e71c41e707b7d8d5a91ed58761b50f0749535d4d5dfed7351ba0bc2e6f3

SHA512
7e14a15096aed884a5f8806e049cb62a7f6ca6f091aba025771e5bbbd32abe03833aa2b9baff6afd67beab23068e49a87b98d8390ab48fddaf49f836bf60be16

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat
Filesize
212B

MD5
c01b98e647f9b96f517b6e243adfb1d1

SHA1
13d5e748b0e2ca809d9824474c7a7b30f509161a

SHA256
0d61816435f286bbadfb563c14171cecdc2812bed6339e306f25beb3ec1d8f1a

SHA512
40140c8a56a2d8c0f25799e0ca1989799fb54123a15b70070813843bd2eba9757ed3ad5635cc3b75e8902091b14955ef7f9ffe1fce544f53b92eb6fde10a7fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfc54c41-1b06-41f9-a349-d8399965b3d3.vbs
Filesize
723B

MD5
c0cd79ce86c2827bf156bc603dd8b41d

SHA1
f75722fc1b5ba92b02d2c5564dd1342d2b26cd4f

SHA256
12bc2caf34276ca1518726a1837e9a530e2f7409a567952b6f0156d56078e1f7

SHA512
d294ca5aa18dacad032967772d9b037651ca0340a5c8588f412c4b90c3fe0f989b700b09308a42af78db5101671274cccba60e3b42fce31bd91873a528682c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat
Filesize
212B

MD5
6618e1030829d1dd3da07b8b849383b0

SHA1
6d9f7aee2c7e996094dca3bb14e6ed661e9d5569

SHA256
0eb4ef23b75d6067e6b3bb8a940c2e979668620440b3f79020f2a713e757855e

SHA512
63c5aae0b22d9ed3082d5a7994be8e941d9b14bca14efa03e4882bc569bbb3f72682b050bb638dbe3dc866fdaba1269fd7750981f23c3ba5fa0d2be3e26a4dd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
93c5a38cf9be70aaf560cc53529aea56

SHA1
a8c7a47ecdab625630bb1f1f7d3079b4c889d5df

SHA256
a30d1c778e4fc80a137f5709ebd04d2872a499aa670da20c4927ba96b7c6dd82

SHA512
24442ecaf5b3b8b508cdbbf82f7f70f78fc2febe26d32c6a2e82bc7e229d6c12b88175eac3aebe23141b0772047cf18d588183e8fdc97e62138932f4305e3ae4

Download Submit
C:\Windows\SchCache\lsm.exe
Filesize
1.3MB

MD5
48c2137034bee9bdfc2c9df1e71e9e04

SHA1
573e8453bc08e2b4e8e65b8560d81b150a9acdd8

SHA256
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88

SHA512
5c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1228-137-0x0000000000220000-0x0000000000376000-memory.dmp

Filesize
1.3MB

Download
memory/2060-47-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2224-85-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2224-74-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2244-119-0x0000000001370000-0x00000000014C6000-memory.dmp

Filesize
1.3MB

Download
memory/2300-49-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2396-103-0x0000000000240000-0x0000000000396000-memory.dmp

Filesize
1.3MB

Download
memory/2428-8-0x0000000000970000-0x000000000097E000-memory.dmp

Filesize
56KB

Download
memory/2428-11-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/2428-10-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/2428-9-0x0000000000980000-0x000000000098E000-memory.dmp

Filesize
56KB

Download
memory/2428-26-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/2428-7-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/2428-6-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2428-4-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/2428-5-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/2428-3-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/2428-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2428-1-0x00000000009B0000-0x0000000000B06000-memory.dmp

Filesize
1.3MB

Download