dcrat | 9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Size

4.9MB
MD5

f32026ab859baf87e56f628b87ec52a0
SHA1

926a579598eb4364b9cd10a036a294809fd3cb16
SHA256

9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975
SHA512

69995e9225f48252f83d3b047cc665beaefc7761e6179e83165aaf21ca941829929b1cd1cdef9a9424ceeb60bf8eb54130a1472cbc55b1a2ac65a31a32278b6c
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2748	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2684-2-0x000000001B490000-0x000000001B5BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1436	powershell.exe
2924	powershell.exe
1828	powershell.exe
1760	powershell.exe
2188	powershell.exe
2720	powershell.exe
1140	powershell.exe
300	powershell.exe
1832	powershell.exe
2160	powershell.exe
2224	powershell.exe
2500	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2216	Idle.exe
2644	Idle.exe
1536	Idle.exe
1804	Idle.exe
1496	Idle.exe
2792	Idle.exe
300	Idle.exe
2156	Idle.exe
1624	Idle.exe
1612	Idle.exe
2292	Idle.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lsass.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\7-Zip\6203df4a6bafc7	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\7-Zip\RCX8A28.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\7-Zip\lsass.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\en-US\Idle.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\Idle.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\PolicyDefinitions\en-US\6ccacd8608530f	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\RCX8824.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2872	schtasks.exe
2756	schtasks.exe
2880	schtasks.exe
2628	schtasks.exe
2852	schtasks.exe
940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
2720	powershell.exe
2160	powershell.exe
1436	powershell.exe
2224	powershell.exe
300	powershell.exe
2924	powershell.exe
1832	powershell.exe
1760	powershell.exe
1140	powershell.exe
1828	powershell.exe
2500	powershell.exe
2188	powershell.exe
2216	Idle.exe
2644	Idle.exe
1536	Idle.exe
1804	Idle.exe
1496	Idle.exe
2792	Idle.exe
300	Idle.exe
2156	Idle.exe
1624	Idle.exe
1612	Idle.exe
2292	Idle.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2216	Idle.exe
Token: SeDebugPrivilege	2644	Idle.exe
Token: SeDebugPrivilege	1536	Idle.exe
Token: SeDebugPrivilege	1804	Idle.exe
Token: SeDebugPrivilege	1496	Idle.exe
Token: SeDebugPrivilege	2792	Idle.exe
Token: SeDebugPrivilege	300	Idle.exe
Token: SeDebugPrivilege	2156	Idle.exe
Token: SeDebugPrivilege	1624	Idle.exe
Token: SeDebugPrivilege	1612	Idle.exe
Token: SeDebugPrivilege	2292	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2720	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	37
PID 2684 wrote to memory of 2720	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	37
PID 2684 wrote to memory of 2720	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	37
PID 2684 wrote to memory of 2500	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	38
PID 2684 wrote to memory of 2500	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	38
PID 2684 wrote to memory of 2500	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	38
PID 2684 wrote to memory of 2224	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	39
PID 2684 wrote to memory of 2224	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	39
PID 2684 wrote to memory of 2224	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	39
PID 2684 wrote to memory of 2188	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	42
PID 2684 wrote to memory of 2188	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	42
PID 2684 wrote to memory of 2188	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	42
PID 2684 wrote to memory of 2160	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	43
PID 2684 wrote to memory of 2160	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	43
PID 2684 wrote to memory of 2160	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	43
PID 2684 wrote to memory of 1760	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	44
PID 2684 wrote to memory of 1760	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	44
PID 2684 wrote to memory of 1760	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	44
PID 2684 wrote to memory of 1828	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	45
PID 2684 wrote to memory of 1828	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	45
PID 2684 wrote to memory of 1828	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	45
PID 2684 wrote to memory of 1832	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	46
PID 2684 wrote to memory of 1832	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	46
PID 2684 wrote to memory of 1832	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	46
PID 2684 wrote to memory of 2924	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	47
PID 2684 wrote to memory of 2924	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	47
PID 2684 wrote to memory of 2924	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	47
PID 2684 wrote to memory of 300	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	48
PID 2684 wrote to memory of 300	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	48
PID 2684 wrote to memory of 300	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	48
PID 2684 wrote to memory of 1140	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	49
PID 2684 wrote to memory of 1140	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	49
PID 2684 wrote to memory of 1140	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	49
PID 2684 wrote to memory of 1436	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	51
PID 2684 wrote to memory of 1436	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	51
PID 2684 wrote to memory of 1436	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	51
PID 2684 wrote to memory of 2216	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	61
PID 2684 wrote to memory of 2216	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	61
PID 2684 wrote to memory of 2216	2684	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	61
PID 2216 wrote to memory of 2256	2216	Idle.exe	62
PID 2216 wrote to memory of 2256	2216	Idle.exe	62
PID 2216 wrote to memory of 2256	2216	Idle.exe	62
PID 2216 wrote to memory of 2608	2216	Idle.exe	63
PID 2216 wrote to memory of 2608	2216	Idle.exe	63
PID 2216 wrote to memory of 2608	2216	Idle.exe	63
PID 2256 wrote to memory of 2644	2256	WScript.exe	65
PID 2256 wrote to memory of 2644	2256	WScript.exe	65
PID 2256 wrote to memory of 2644	2256	WScript.exe	65
PID 2644 wrote to memory of 1972	2644	Idle.exe	66
PID 2644 wrote to memory of 1972	2644	Idle.exe	66
PID 2644 wrote to memory of 1972	2644	Idle.exe	66
PID 2644 wrote to memory of 1800	2644	Idle.exe	67
PID 2644 wrote to memory of 1800	2644	Idle.exe	67
PID 2644 wrote to memory of 1800	2644	Idle.exe	67
PID 1972 wrote to memory of 1536	1972	WScript.exe	68
PID 1972 wrote to memory of 1536	1972	WScript.exe	68
PID 1972 wrote to memory of 1536	1972	WScript.exe	68
PID 1536 wrote to memory of 1416	1536	Idle.exe	69
PID 1536 wrote to memory of 1416	1536	Idle.exe	69
PID 1536 wrote to memory of 1416	1536	Idle.exe	69
PID 1536 wrote to memory of 1644	1536	Idle.exe	70
PID 1536 wrote to memory of 1644	1536	Idle.exe	70
PID 1536 wrote to memory of 1644	1536	Idle.exe	70
PID 1416 wrote to memory of 1804	1416	WScript.exe	71

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
"C:\Users\Admin\AppData\Local\Temp\9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\PolicyDefinitions\en-US\Idle.exe
  "C:\Windows\PolicyDefinitions\en-US\Idle.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7be564d4-697b-486f-8209-5a7be7dbc61d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\PolicyDefinitions\en-US\Idle.exe
      C:\Windows\PolicyDefinitions\en-US\Idle.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2644
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f904287-015d-43b0-beb2-8ef6d2205c10.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b398295-2c3a-4eee-9117-150498c646e4.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98009de8-6722-4b2d-81d0-538fa7d57fe3.vbs"
        9⤵
        
        PID:952
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\468dbbb5-35da-462d-b45e-239834375b34.vbs"
        11⤵
        
        PID:2072
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da23ddb1-ccf6-477b-806e-9f0ee1967a8b.vbs"
        13⤵
        
        PID:2596
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93160e34-c4d1-4997-abb1-20417ee67876.vbs"
        15⤵
        
        PID:908
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffd0d2a5-a557-4002-aaba-1c8f7bd93f1a.vbs"
        17⤵
        
        PID:1884
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b55e92bc-d418-4546-93d3-da8eda27ac9e.vbs"
        19⤵
        
        PID:784
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73becd6d-a19a-4507-8391-05696db88c30.vbs"
        21⤵
        
        PID:1704
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        
        C:\Windows\PolicyDefinitions\en-US\Idle.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3032b7c8-3226-498b-8ebe-f75394f26537.vbs"
        23⤵
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c550bbe8-4175-4fdc-8780-82012fc08b21.vbs"
        23⤵
        
        PID:864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a097d16b-bf2b-4f3f-92c0-e7508184a376.vbs"
        21⤵
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90cadf43-206e-432f-8353-6e988d8192fd.vbs"
        19⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\230b90e9-7f2e-4178-a2b3-0751fcb2bc51.vbs"
        17⤵
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ab898cd-8858-43ef-a3b2-3ef36b62c7a6.vbs"
        15⤵
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a592c081-d05c-4a58-8fdf-e43491f0af68.vbs"
        13⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf7d9ec3-3eb9-40ae-bd6f-7e90c0a49e6b.vbs"
        11⤵
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6f828c6-77a8-4686-9a49-3472ccfeb5e8.vbs"
        9⤵
        
        PID:2916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acccfe32-dc99-4c6a-8315-21f7d618a43e.vbs"
        7⤵
        
        PID:1644
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4605dd5c-4510-4365-b6aa-3d0cb88037ff.vbs"
        5⤵
        
        PID:1800
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00e8a1b4-7253-4f36-92c5-8d9b904d58d4.vbs"
    3⤵
    PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00e8a1b4-7253-4f36-92c5-8d9b904d58d4.vbs

Filesize
495B

MD5
57ed58522f00e4904ecbf347ca161a36

SHA1
9f5835ee3f496e835653a21f234ebe376852a3bf

SHA256
65da27ab45eea0546331d1750cb6fb69d039706781a4a4df98d398de7796a23b

SHA512
2688c54982d06151ba4e4677e33b0a645cbb366ed9a7ef321db49ce00c5a2344854b06c07661158a6e39b37402ef3e909ea7836308405ebe42c776df983e6dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3032b7c8-3226-498b-8ebe-f75394f26537.vbs

Filesize
719B

MD5
fabfebffbcba4e1fe9ea1aa0463befe4

SHA1
1b7a12e5a8a1eb0b5b00061240dccf580c3f2ce6

SHA256
4e64b16016f9c8c3c5583b7b3091af9233063bc35eebcf5c87efc2719dab6143

SHA512
a97d18abbbed7bd0799a5862d847285cc9f41d377b86398cbbe18582c3debf62b3655a9524e6f7cd849a9b7310332cea6ecc7419ddb4e3d525e407a2ebf14dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904287-015d-43b0-beb2-8ef6d2205c10.vbs

Filesize
719B

MD5
4f223ccf83cc12f3a07daaa0ed290986

SHA1
a612025bc09141d27bac9d25608304036fbe5a3e

SHA256
ea0b3d4217846f8f4365655a6206a2f5e2becebe75c7432d895cffa1c8929ead

SHA512
42cbc907fb389fa6c26e891cf49705ebf58aa6f0500c3b47b63dc981d14980c77a30ac153011dbacde5b4744537e56420779810c5efcfe6df90fbd6c5a2e52de

Download Submit
C:\Users\Admin\AppData\Local\Temp\468dbbb5-35da-462d-b45e-239834375b34.vbs

Filesize
719B

MD5
0952d91c4e8dc4db9de871bc5855d6cd

SHA1
0316dfdb19df6d7cd98295bd3a0190f7dd22f708

SHA256
112335ba16ddd8fba865c19ac7dc723c86d790348ec0037732db04a50073cafd

SHA512
b566f4732913018996dd658b5b4cbcfb2f8e40729f7bbedd5cf00a2452b2fa43399b5d43fe852039618ab4fd334940045f6b2d23b294a4fa87d7ee2309f5b5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b398295-2c3a-4eee-9117-150498c646e4.vbs

Filesize
719B

MD5
081eac49ccb1a4a33e37931b85ea94a4

SHA1
d93f6afeca1ff9907012484ea473ad0f317bfbbb

SHA256
00f29dbbd04c7b1376d071cd11ec2f164b814ce4c3f543c326d8bfdd8d00ec64

SHA512
e772d8b620d561d5fa53ae20b67bfc34e0c7b2189aa17886bbc2d1ac3c5208f9727ab9efb3447cb7f5cd2da02bbd4856b686d4cc4f7ee17673c80cf6531ff06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\73becd6d-a19a-4507-8391-05696db88c30.vbs

Filesize
719B

MD5
7b5ffaa621c169b48d058f0d4a31eb7f

SHA1
c5a1eeb1b474fa157fae6890ee05ff797ab28c37

SHA256
2545b9238e3244dc9e1a8886f5f96d9d5e3ee11a5b187941b63afc87b706855d

SHA512
09624ae272ea3ae22fa8de4ada72de407d0b5b19026f5c290124a19174c7498e1702cdbf8eae31d92400176f952b00890e10af8d7abcc2e595d609482c27a039

Download Submit
C:\Users\Admin\AppData\Local\Temp\7be564d4-697b-486f-8209-5a7be7dbc61d.vbs

Filesize
719B

MD5
545c987bb48de1612122442dce157bea

SHA1
f7de6f551572028380eaebe3b982eb9859354b14

SHA256
296a41126f9f969b9ae9890194999e759d6f53b3bac2eddf98972088f3936eb0

SHA512
bf565b05b1c18614ee8e48995500e3511711b4929c74cfc2883b9d60038e924e1855e55a0284420c84dfa9644fab6a63805209316136b2b253fd1a10f1a047af

Download Submit
C:\Users\Admin\AppData\Local\Temp\93160e34-c4d1-4997-abb1-20417ee67876.vbs

Filesize
718B

MD5
89b5bd68092ec0fbc8a2ad031e82788b

SHA1
5502a924fd8a9627f071f170245c84492fcb1bc7

SHA256
d9323042128aaff6ea78d7ae13f473be21ad103c6dfb596ad8c8037e644e1ff6

SHA512
6c1b91b41b6321e0ba0fa0e44f813a886c96d207653f2338facdce4ccc2e734dfe90517e3f8f0094d3ef1cf5285b784d51f9350bc4e9954ab7f3af596f24d02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\98009de8-6722-4b2d-81d0-538fa7d57fe3.vbs

Filesize
719B

MD5
f7d888bedf58fdeed0c1f5f394eafaf5

SHA1
a55ab8546cb365f478d471be67a95c8bb5f2075e

SHA256
cf2513dc1f7baf0cdbc5d838ccac93b7001ac50d2e579d28a2256c8905f56388

SHA512
31d43d583e52a83b9a9d0c874bc7233a98ab5cb35147688788982cca012b9d718fa908b423ebecd266fba640e9505df708d10016e92cc2aa9c44fae7146107d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b55e92bc-d418-4546-93d3-da8eda27ac9e.vbs

Filesize
719B

MD5
a550d28681563a2f63d90fa7dec63760

SHA1
aaa04032779b51d0e7ce258ccee1a612e5e34a91

SHA256
6a85ce7db11cca70e96ee454cd4ef72f5aa11e7ffb1aaf26f56c24cd8393f29b

SHA512
0f0de82589f26e1c8171f0e89e4bdff7265f21dff0857addfe2dfa52d45d05b75c575175fae0b9192cc89c1ef5269e6be3ecd7ac5c1f7d87941eb6411ca5940b

Download Submit
C:\Users\Admin\AppData\Local\Temp\da23ddb1-ccf6-477b-806e-9f0ee1967a8b.vbs

Filesize
719B

MD5
6796c1c0393377496fbc21e1e512d5be

SHA1
571fdecbf331804d59f985a6463ccb9ca8a0c2c4

SHA256
f7865d29cdccdd1b6b9f802a65c152e8d5152ba5efe6b570864ca40ed256b302

SHA512
ea8369f10de5398d9aa33ed7cf81e46a9e5e02d7fbe9599fe68cda414684dcd2d08f4feefc8ca85a79ac93a5362e1209f0a7c73979a3b46a91e25ba6800b77db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffd0d2a5-a557-4002-aaba-1c8f7bd93f1a.vbs

Filesize
719B

MD5
108125c3c77e8a74d4ec21a12252162a

SHA1
730967cd324fbdb2eba11598c43e534f95dec34d

SHA256
5bac685000f4a0a73446dfb62426dfa7cbd5169ea261c16f0937abfd8f25be7a

SHA512
1a1ab4c2d67ba0bb0bb4727d91b785ba8319c99dff6a2162cad90844b3eb25ab32ca1e3b5b131b5cf25baf777f56905fdd00d23285e88b485f7b665d651bc5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDFD4.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
78b1438e725888eebc156feb4bd85849

SHA1
e53d5287d24db5047c91ecd598ff62982ca8c502

SHA256
6223814995dd2e2d6e798501e937e9026c33cce82e2aa6d91167b54c29366a5d

SHA512
ce7697d2bda53d7ac1fb3444184baf3b23567adf28257c62581a972a75a4cb62553b72aef4c992982cf8546cbbca36b36cda9b88d43f842854bddb8ec7e99676

Download Submit
C:\Windows\PolicyDefinitions\en-US\Idle.exe

Filesize
4.9MB

MD5
f32026ab859baf87e56f628b87ec52a0

SHA1
926a579598eb4364b9cd10a036a294809fd3cb16

SHA256
9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975

SHA512
69995e9225f48252f83d3b047cc665beaefc7761e6179e83165aaf21ca941829929b1cd1cdef9a9424ceeb60bf8eb54130a1472cbc55b1a2ac65a31a32278b6c

Download Submit
memory/300-190-0x0000000000020000-0x0000000000514000-memory.dmp

Filesize
5.0MB

Download
memory/1496-161-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/1612-235-0x0000000001290000-0x0000000001784000-memory.dmp

Filesize
5.0MB

Download
memory/1624-220-0x0000000000F30000-0x0000000001424000-memory.dmp

Filesize
5.0MB

Download
memory/2156-205-0x0000000000E00000-0x00000000012F4000-memory.dmp

Filesize
5.0MB

Download
memory/2216-82-0x00000000011F0000-0x00000000016E4000-memory.dmp

Filesize
5.0MB

Download
memory/2644-118-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/2684-10-0x0000000002450000-0x0000000002462000-memory.dmp

Filesize
72KB

Download
memory/2684-13-0x000000001ADE0000-0x000000001ADEE000-memory.dmp

Filesize
56KB

Download
memory/2684-1-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download
memory/2684-2-0x000000001B490000-0x000000001B5BE000-memory.dmp

Filesize
1.2MB

Download
memory/2684-14-0x000000001AF70000-0x000000001AF78000-memory.dmp

Filesize
32KB

Download
memory/2684-15-0x000000001AF80000-0x000000001AF88000-memory.dmp

Filesize
32KB

Download
memory/2684-16-0x000000001AF90000-0x000000001AF9C000-memory.dmp

Filesize
48KB

Download
memory/2684-11-0x0000000002460000-0x000000000246A000-memory.dmp

Filesize
40KB

Download
memory/2684-12-0x000000001ADD0000-0x000000001ADDE000-memory.dmp

Filesize
56KB

Download
memory/2684-104-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-0-0x000007FEF6263000-0x000007FEF6264000-memory.dmp

Filesize
4KB

Download
memory/2684-9-0x00000000023C0000-0x00000000023CA000-memory.dmp

Filesize
40KB

Download
memory/2684-8-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/2684-7-0x00000000023A0000-0x00000000023B6000-memory.dmp

Filesize
88KB

Download
memory/2684-6-0x0000000002300000-0x0000000002310000-memory.dmp

Filesize
64KB

Download
memory/2684-5-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2684-4-0x0000000000C40000-0x0000000000C5C000-memory.dmp

Filesize
112KB

Download
memory/2684-3-0x000007FEF6260000-0x000007FEF6C4C000-memory.dmp

Filesize
9.9MB

Download
memory/2720-68-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2924-47-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download