dcrat | 668e52379162e73077b1153e33e24e0743913d887f6586a0302e877150c34343

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb7788207d859f3155a62d3e2ed89570N.exe
Size

4.9MB
MD5

eb7788207d859f3155a62d3e2ed89570
SHA1

5e651fea3795f04d57b4535183dacea5de3b8b6f
SHA256

668e52379162e73077b1153e33e24e0743913d887f6586a0302e877150c34343
SHA512

b6d854d98b260abd8522594830424f656ba9cd6151cc640ef639dadc73f57113b539d6a8931309198a6f63e9ec853eb1d3282aa50f9b5d4abe976271e1b15feb
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1156	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eb7788207d859f3155a62d3e2ed89570N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eb7788207d859f3155a62d3e2ed89570N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eb7788207d859f3155a62d3e2ed89570N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2344-3-0x000000001B800000-0x000000001B92E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1916	powershell.exe
1600	powershell.exe
844	powershell.exe
1288	powershell.exe
1632	powershell.exe
1344	powershell.exe
1192	powershell.exe
1680	powershell.exe
1704	powershell.exe
584	powershell.exe
1256	powershell.exe
608	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2340	Idle.exe
2248	Idle.exe
2528	Idle.exe
1196	Idle.exe
620	Idle.exe
1280	Idle.exe
2248	Idle.exe
1872	Idle.exe
2408	Idle.exe
2340	Idle.exe
2704	Idle.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eb7788207d859f3155a62d3e2ed89570N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eb7788207d859f3155a62d3e2ed89570N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe	eb7788207d859f3155a62d3e2ed89570N.exe
File created	C:\Program Files (x86)\Common Files\WMIADAP.exe	eb7788207d859f3155a62d3e2ed89570N.exe
File opened for modification	C:\Program Files (x86)\Common Files\WMIADAP.exe	eb7788207d859f3155a62d3e2ed89570N.exe
File created	C:\Program Files (x86)\Common Files\75a57c1bdf437c	eb7788207d859f3155a62d3e2ed89570N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe	eb7788207d859f3155a62d3e2ed89570N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\101b941d020240	eb7788207d859f3155a62d3e2ed89570N.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXE66A.tmp	eb7788207d859f3155a62d3e2ed89570N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXE86E.tmp	eb7788207d859f3155a62d3e2ed89570N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\RemotePackages\RemoteApps\lsass.exe	eb7788207d859f3155a62d3e2ed89570N.exe
File created	C:\Windows\RemotePackages\RemoteApps\6203df4a6bafc7	eb7788207d859f3155a62d3e2ed89570N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCXF282.tmp	eb7788207d859f3155a62d3e2ed89570N.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\lsass.exe	eb7788207d859f3155a62d3e2ed89570N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1864	schtasks.exe
620	schtasks.exe
1696	schtasks.exe
2720	schtasks.exe
2576	schtasks.exe
2024	schtasks.exe
1660	schtasks.exe
2520	schtasks.exe
2004	schtasks.exe
2836	schtasks.exe
2152	schtasks.exe
2080	schtasks.exe
2612	schtasks.exe
484	schtasks.exe
2844	schtasks.exe
2892	schtasks.exe
3000	schtasks.exe
352	schtasks.exe
772	schtasks.exe
2804	schtasks.exe
2932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2344	eb7788207d859f3155a62d3e2ed89570N.exe
1256	powershell.exe
584	powershell.exe
1344	powershell.exe
1600	powershell.exe
1704	powershell.exe
844	powershell.exe
1192	powershell.exe
608	powershell.exe
1288	powershell.exe
1680	powershell.exe
1632	powershell.exe
1916	powershell.exe
2340	Idle.exe
2248	Idle.exe
2528	Idle.exe
1196	Idle.exe
620	Idle.exe
1280	Idle.exe
2248	Idle.exe
1872	Idle.exe
2408	Idle.exe
2340	Idle.exe
2704	Idle.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	eb7788207d859f3155a62d3e2ed89570N.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2340	Idle.exe
Token: SeDebugPrivilege	2248	Idle.exe
Token: SeDebugPrivilege	2528	Idle.exe
Token: SeDebugPrivilege	1196	Idle.exe
Token: SeDebugPrivilege	620	Idle.exe
Token: SeDebugPrivilege	1280	Idle.exe
Token: SeDebugPrivilege	2248	Idle.exe
Token: SeDebugPrivilege	1872	Idle.exe
Token: SeDebugPrivilege	2408	Idle.exe
Token: SeDebugPrivilege	2340	Idle.exe
Token: SeDebugPrivilege	2704	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1288	2344	eb7788207d859f3155a62d3e2ed89570N.exe	53
PID 2344 wrote to memory of 1288	2344	eb7788207d859f3155a62d3e2ed89570N.exe	53
PID 2344 wrote to memory of 1288	2344	eb7788207d859f3155a62d3e2ed89570N.exe	53
PID 2344 wrote to memory of 584	2344	eb7788207d859f3155a62d3e2ed89570N.exe	54
PID 2344 wrote to memory of 584	2344	eb7788207d859f3155a62d3e2ed89570N.exe	54
PID 2344 wrote to memory of 584	2344	eb7788207d859f3155a62d3e2ed89570N.exe	54
PID 2344 wrote to memory of 1256	2344	eb7788207d859f3155a62d3e2ed89570N.exe	56
PID 2344 wrote to memory of 1256	2344	eb7788207d859f3155a62d3e2ed89570N.exe	56
PID 2344 wrote to memory of 1256	2344	eb7788207d859f3155a62d3e2ed89570N.exe	56
PID 2344 wrote to memory of 844	2344	eb7788207d859f3155a62d3e2ed89570N.exe	57
PID 2344 wrote to memory of 844	2344	eb7788207d859f3155a62d3e2ed89570N.exe	57
PID 2344 wrote to memory of 844	2344	eb7788207d859f3155a62d3e2ed89570N.exe	57
PID 2344 wrote to memory of 1632	2344	eb7788207d859f3155a62d3e2ed89570N.exe	58
PID 2344 wrote to memory of 1632	2344	eb7788207d859f3155a62d3e2ed89570N.exe	58
PID 2344 wrote to memory of 1632	2344	eb7788207d859f3155a62d3e2ed89570N.exe	58
PID 2344 wrote to memory of 608	2344	eb7788207d859f3155a62d3e2ed89570N.exe	59
PID 2344 wrote to memory of 608	2344	eb7788207d859f3155a62d3e2ed89570N.exe	59
PID 2344 wrote to memory of 608	2344	eb7788207d859f3155a62d3e2ed89570N.exe	59
PID 2344 wrote to memory of 1344	2344	eb7788207d859f3155a62d3e2ed89570N.exe	60
PID 2344 wrote to memory of 1344	2344	eb7788207d859f3155a62d3e2ed89570N.exe	60
PID 2344 wrote to memory of 1344	2344	eb7788207d859f3155a62d3e2ed89570N.exe	60
PID 2344 wrote to memory of 1600	2344	eb7788207d859f3155a62d3e2ed89570N.exe	61
PID 2344 wrote to memory of 1600	2344	eb7788207d859f3155a62d3e2ed89570N.exe	61
PID 2344 wrote to memory of 1600	2344	eb7788207d859f3155a62d3e2ed89570N.exe	61
PID 2344 wrote to memory of 1916	2344	eb7788207d859f3155a62d3e2ed89570N.exe	62
PID 2344 wrote to memory of 1916	2344	eb7788207d859f3155a62d3e2ed89570N.exe	62
PID 2344 wrote to memory of 1916	2344	eb7788207d859f3155a62d3e2ed89570N.exe	62
PID 2344 wrote to memory of 1192	2344	eb7788207d859f3155a62d3e2ed89570N.exe	63
PID 2344 wrote to memory of 1192	2344	eb7788207d859f3155a62d3e2ed89570N.exe	63
PID 2344 wrote to memory of 1192	2344	eb7788207d859f3155a62d3e2ed89570N.exe	63
PID 2344 wrote to memory of 1704	2344	eb7788207d859f3155a62d3e2ed89570N.exe	65
PID 2344 wrote to memory of 1704	2344	eb7788207d859f3155a62d3e2ed89570N.exe	65
PID 2344 wrote to memory of 1704	2344	eb7788207d859f3155a62d3e2ed89570N.exe	65
PID 2344 wrote to memory of 1680	2344	eb7788207d859f3155a62d3e2ed89570N.exe	66
PID 2344 wrote to memory of 1680	2344	eb7788207d859f3155a62d3e2ed89570N.exe	66
PID 2344 wrote to memory of 1680	2344	eb7788207d859f3155a62d3e2ed89570N.exe	66
PID 2344 wrote to memory of 2340	2344	eb7788207d859f3155a62d3e2ed89570N.exe	77
PID 2344 wrote to memory of 2340	2344	eb7788207d859f3155a62d3e2ed89570N.exe	77
PID 2344 wrote to memory of 2340	2344	eb7788207d859f3155a62d3e2ed89570N.exe	77
PID 2340 wrote to memory of 2988	2340	Idle.exe	78
PID 2340 wrote to memory of 2988	2340	Idle.exe	78
PID 2340 wrote to memory of 2988	2340	Idle.exe	78
PID 2340 wrote to memory of 2908	2340	Idle.exe	79
PID 2340 wrote to memory of 2908	2340	Idle.exe	79
PID 2340 wrote to memory of 2908	2340	Idle.exe	79
PID 2988 wrote to memory of 2248	2988	WScript.exe	80
PID 2988 wrote to memory of 2248	2988	WScript.exe	80
PID 2988 wrote to memory of 2248	2988	WScript.exe	80
PID 2248 wrote to memory of 1588	2248	Idle.exe	81
PID 2248 wrote to memory of 1588	2248	Idle.exe	81
PID 2248 wrote to memory of 1588	2248	Idle.exe	81
PID 2248 wrote to memory of 2852	2248	Idle.exe	82
PID 2248 wrote to memory of 2852	2248	Idle.exe	82
PID 2248 wrote to memory of 2852	2248	Idle.exe	82
PID 1588 wrote to memory of 2528	1588	WScript.exe	83
PID 1588 wrote to memory of 2528	1588	WScript.exe	83
PID 1588 wrote to memory of 2528	1588	WScript.exe	83
PID 2528 wrote to memory of 1032	2528	Idle.exe	84
PID 2528 wrote to memory of 1032	2528	Idle.exe	84
PID 2528 wrote to memory of 1032	2528	Idle.exe	84
PID 2528 wrote to memory of 876	2528	Idle.exe	85
PID 2528 wrote to memory of 876	2528	Idle.exe	85
PID 2528 wrote to memory of 876	2528	Idle.exe	85
PID 1032 wrote to memory of 1196	1032	WScript.exe	86

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eb7788207d859f3155a62d3e2ed89570N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	eb7788207d859f3155a62d3e2ed89570N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	eb7788207d859f3155a62d3e2ed89570N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eb7788207d859f3155a62d3e2ed89570N.exe
"C:\Users\Admin\AppData\Local\Temp\eb7788207d859f3155a62d3e2ed89570N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
  "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2340
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bd4caaa-5483-4228-81db-a93aca0f63af.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
      C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2248
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d1c0451-2374-4c62-8342-f06e3af745a4.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ca5cff8-11f1-42d5-a8b2-4b849f0787b9.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2341abf2-523a-4ac6-ab1b-5ab983321f16.vbs"
        9⤵
        
        PID:2824
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a2f1139-010b-49fa-a992-32bf2c6c3b13.vbs"
        11⤵
        
        PID:2428
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c3fd0ca-b17a-4d2c-a54b-13fb905ff725.vbs"
        13⤵
        
        PID:2452
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc8a09ef-1733-4089-ba27-0d5a5bef967f.vbs"
        15⤵
        
        PID:3000
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d056bb19-a75b-4a72-a769-509219363f2d.vbs"
        17⤵
        
        PID:2604
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a74688c9-30ce-40e1-b694-ac0bc6009976.vbs"
        19⤵
        
        PID:2876
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49a3a9e6-8f6b-4e1c-92a8-6d9e0cd56f26.vbs"
        21⤵
        
        PID:1096
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\333c2899-0bc1-487d-9962-dec93ec5a814.vbs"
        21⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96d81f14-2fe5-4a14-bdf7-0981a8cf1dad.vbs"
        19⤵
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48188029-2e82-491f-a84b-ed8a2bcf055b.vbs"
        17⤵
        
        PID:1196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08f4e829-f641-4637-a69f-4f780163707e.vbs"
        15⤵
        
        PID:1444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fca653e0-bfc2-40b7-845a-c2dcd1ea3a63.vbs"
        13⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\363fed18-cbef-4ab9-9798-53d49ee946ed.vbs"
        11⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11f076e3-e31b-4b2a-996f-47863a8beb64.vbs"
        9⤵
        
        PID:1256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f60d6f3f-c018-465b-a47b-8e537bf16c66.vbs"
        7⤵
        
        PID:876
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5b6e8c4-1f3e-4def-88d0-885f4640ba9e.vbs"
        5⤵
        
        PID:2852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f8167e7-c061-43f7-bc76-2f0021f29a09.vbs"
    3⤵
    PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe

Filesize
4.9MB

MD5
eb7788207d859f3155a62d3e2ed89570

SHA1
5e651fea3795f04d57b4535183dacea5de3b8b6f

SHA256
668e52379162e73077b1153e33e24e0743913d887f6586a0302e877150c34343

SHA512
b6d854d98b260abd8522594830424f656ba9cd6151cc640ef639dadc73f57113b539d6a8931309198a6f63e9ec853eb1d3282aa50f9b5d4abe976271e1b15feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d1c0451-2374-4c62-8342-f06e3af745a4.vbs

Filesize
733B

MD5
97d04b0a675820e3795abfde1dfb5e6b

SHA1
a9b15b9bb5cc602bbf380ab58855528fa3411382

SHA256
d62442d50d105dbd6a4c963377e6122243651ef972079b6bd4805a3398bfd5a4

SHA512
f14bc4ed8d2bad20a24842105a3659928d0fcfc68c6d976d989bd7f0fa16ebb767359c423cecb2db3b41ca6b916b7c1fdbcc7c754f741f3c630eb17304f2d470

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f8167e7-c061-43f7-bc76-2f0021f29a09.vbs

Filesize
509B

MD5
00f59249239412e660f9336956f91f45

SHA1
5bd04f8bfc87d83a0d3cd9bed9d9790313d93b3f

SHA256
5f23880b4330864ea5ac1c77742f8b2e81efd56d07e54eeaedf20f601be5cd9e

SHA512
da82b97e3dcad66a93ab62a3211dcf86592a509f56724636be81d52ee4c9af4e1c98d2b517324e1a9032927a29809a78b79870f8b514f594164f318e84a2fa76

Download Submit
C:\Users\Admin\AppData\Local\Temp\2341abf2-523a-4ac6-ab1b-5ab983321f16.vbs

Filesize
733B

MD5
8e199f7de2f0592cdbfc5d0c3eb40508

SHA1
f5bb6b8392aa578fe2bace1d7f698e422af89227

SHA256
2074ef395a67a7dc0f4549b4305b5a8a1a657fa0990bcafd9afbb9bfc0af4e94

SHA512
e6acf05dcc2381adf5728a9892acf86983d47a851793892a8b15f4ec8cffa89f9bec1560dd1f1462c4411549419078e27173622eeacdc427a38b3e50e3abb876

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c3fd0ca-b17a-4d2c-a54b-13fb905ff725.vbs

Filesize
733B

MD5
4786bbfd0940daa6eea421adb0533f94

SHA1
fa817b44ffbfeab5dd39b5e6a0cfad4f2ac3476e

SHA256
5c764d9b6c366f0a4ddc8095f48c73b08ed50de585748b6ffb2aba2197e514d0

SHA512
d370a26c7156c741244531f2b3b798515704cdc5a13699b5a2479d8237f4b27cd9700c7d6a1776cb70386f4bac3c11ede3459f2c42bca37b7b9bfa3f86c75e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ca5cff8-11f1-42d5-a8b2-4b849f0787b9.vbs

Filesize
733B

MD5
e7f24c41698c05bc04dc50f730039713

SHA1
13b8cfe2990bfc8a876da4c052e788f58e328655

SHA256
074c89d871deb1163da8d12592375d5c4a05b99c8c0e4f50189d9a85f328a376

SHA512
b972a8bcf5a81054cc22ba56ec43febc59ebd1720ad4b240aa39917f9b463840c8976e15442058feae5ba482bc92b86e32b1fb24f9aa319bf6825f32311a5e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bd4caaa-5483-4228-81db-a93aca0f63af.vbs

Filesize
733B

MD5
430448b3b9054bd598cadf35a09c78ab

SHA1
b1987e55750d1fd1043d3dd0e533b299a300e1be

SHA256
3de0ed11897eea06d9d35b135e93645de926ca2066b0338dad8c47d21cb4a6ab

SHA512
bd8f5077fb85685ad35fd4478f2bbcb6d7e489a4c22811877bd27454b0fad7236173585dfdc3a8ce64f082788e0e13eaa46da493de132671edab6385590d994f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a2f1139-010b-49fa-a992-32bf2c6c3b13.vbs

Filesize
732B

MD5
2a8620f70d5ae15a17b5ae13536199f1

SHA1
9cf0ad4425afba97cd15075c5d4a7ba1dc7b552e

SHA256
b025619087000734da6a3d2e64c58dba443f278914b93f216f7c2bd1f65a9b3a

SHA512
81523c293a0dbe6a7fa4a6934b9d091aef0954eb0e6c5356ca72cdaa5213d3a6cb38397cc7377209853507794011ffd949d1866ba8684bbb49ef743d2e0e730f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a74688c9-30ce-40e1-b694-ac0bc6009976.vbs

Filesize
733B

MD5
12ce7cf0343aed745ef4348c38cfe756

SHA1
1b5345a7638a70314af643cb027a9d972922649c

SHA256
a32ce12aab3d3ca074f9cbcaa22ffc7f8ec46483db646ce41cc1788b4a96d344

SHA512
106f26820f188582270c1edc3b8f87756e1da9b694c54fb1d42cc5c279f7fd8dc1869ebde1ba808f8efbfd83265bfb5cac8285dab777978351d8d87cbc92ecd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d056bb19-a75b-4a72-a769-509219363f2d.vbs

Filesize
733B

MD5
e19c0e71cb69e90ebebf608852b037c1

SHA1
d618d0433fcc46f555a20d1b39672cdacb23af6c

SHA256
c72007dafd4e5eeac24c16fc385fa224893519b9cd5aef8555f4278f2784dd63

SHA512
00bed8690b21edb96e512ff47917954f8d7bc75e1dffbaebb0b1ae0f9455fad7dca571126a0d3ea0f21c827b552cdf796402c259ad05536f2dbfed6af1ba7e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp30D.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
954e4fe222b8f294d9f96107555bfd27

SHA1
b34cbe0bfffc828b3462763c6659974bf47f5edd

SHA256
9707e18c2a9e1a5d308652e50b3ea52ca2aef3c6472df3fc22a3580722bc32cb

SHA512
d3257da07a7e6f4c12e60e5ad9cd9addecfa036e35bb674a611edb2a0b7474a37db304bab3c4d09d471328c28d24c9bd0dc58d8bebe23e41ca6697e230f71962

Download Submit
memory/1256-102-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/1256-100-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/1280-224-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2340-155-0x0000000001150000-0x0000000001162000-memory.dmp

Filesize
72KB

Download
memory/2340-95-0x0000000001190000-0x0000000001684000-memory.dmp

Filesize
5.0MB

Download
memory/2344-9-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/2344-3-0x000000001B800000-0x000000001B92E000-memory.dmp

Filesize
1.2MB

Download
memory/2344-11-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/2344-12-0x0000000000B30000-0x0000000000B3E000-memory.dmp

Filesize
56KB

Download
memory/2344-152-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/2344-16-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2344-15-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2344-10-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2344-13-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/2344-8-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/2344-7-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2344-1-0x0000000000260000-0x0000000000754000-memory.dmp

Filesize
5.0MB

Download
memory/2344-6-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/2344-5-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download
memory/2344-4-0x0000000000820000-0x000000000083C000-memory.dmp

Filesize
112KB

Download
memory/2344-14-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2344-0-0x000007FEF5733000-0x000007FEF5734000-memory.dmp

Filesize
4KB

Download
memory/2344-2-0x000007FEF5730000-0x000007FEF611C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-267-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/2528-181-0x00000000012B0000-0x00000000017A4000-memory.dmp

Filesize
5.0MB

Download
memory/2704-296-0x00000000008F0000-0x0000000000902000-memory.dmp

Filesize
72KB

Download