dcrat | ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
Size

4.9MB
MD5

7036b30146fb317c8aaa24effa7f79c0
SHA1

e5887a7e997c2c2896d15bfa03169421ef8900ae
SHA256

ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1
SHA512

fe3eb8589494b37527462fba8d588055a5145e3a5c9d5f974d31ee98b636ae5ed7fe850681c0ba7564f8d24bf4f8947923da1e2194ec404300e2269a0d7d0669
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2920	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2920	schtasks.exe	30

UAC bypass 3 TTPs 24 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exeef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/572-2-0x000000001B5E0000-0x000000001B70E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2588	powershell.exe
1480	powershell.exe
2664	powershell.exe
3060	powershell.exe
2072	powershell.exe
1284	powershell.exe
2212	powershell.exe
1764	powershell.exe
2180	powershell.exe
2380	powershell.exe
804	powershell.exe
2832	powershell.exe

Executes dropped EXE 7 IoCs

Processes:

lsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	Process
2892	lsm.exe
580	lsm.exe
3040	lsm.exe
948	lsm.exe
1056	lsm.exe
3008	lsm.exe
1764	lsm.exe

Checks whether UAC is enabled 1 TTPs 16 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsm.exeef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe

Drops file in Program Files directory 24 IoCs

Processes:

ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe

description	ioc	Process
File created	C:\Program Files\Internet Explorer\en-US\lsass.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files\Windows NT\audiodg.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Idle.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\lsass.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files\Windows Mail\lsass.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXD1E0.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files\Windows Sidebar\6ccacd8608530f	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files\Windows Mail\lsass.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files\Windows NT\42af1c969fbb7b	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files\Windows Mail\6203df4a6bafc7	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\56085415360792	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCXC618.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files\Internet Explorer\en-US\6203df4a6bafc7	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files\Windows Sidebar\Idle.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files\Windows NT\RCXB7EF.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCXBF9F.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXC3F5.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\csrss.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files\Windows Mail\RCXCF30.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Program Files\Windows NT\audiodg.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe

Drops file in Windows directory 21 IoCs

Processes:

ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe

description	ioc	Process
File created	C:\Windows\en-US\6ccacd8608530f	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Windows\system\RCXB0F9.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Windows\en-US\RCXB57E.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Windows\en-US\Idle.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Windows\Prefetch\RCXBA9E.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Windows\system\Idle.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Windows\Registration\CRMLog\5940a34987c991	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\RCXCAEA.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Windows\CSC\v2.0.6\csrss.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Windows\Prefetch\taskhost.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Windows\Prefetch\taskhost.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Windows\system\6ccacd8608530f	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Windows\Registration\CRMLog\dllhost.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Windows\Prefetch\b75386f1303e64	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\101b941d020240	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXB35B.tmp	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File opened for modification	C:\Windows\Registration\CRMLog\dllhost.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Windows\system\Idle.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
File created	C:\Windows\en-US\Idle.exe	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2464	schtasks.exe
1840	schtasks.exe
2732	schtasks.exe
756	schtasks.exe
1496	schtasks.exe
3016	schtasks.exe
1792	schtasks.exe
1608	schtasks.exe
1548	schtasks.exe
2176	schtasks.exe
392	schtasks.exe
1204	schtasks.exe
2328	schtasks.exe
1300	schtasks.exe
1648	schtasks.exe
2204	schtasks.exe
2640	schtasks.exe
1104	schtasks.exe
2412	schtasks.exe
2364	schtasks.exe
2416	schtasks.exe
1704	schtasks.exe
808	schtasks.exe
1276	schtasks.exe
2072	schtasks.exe
1956	schtasks.exe
2116	schtasks.exe
1532	schtasks.exe
2904	schtasks.exe
2124	schtasks.exe
2828	schtasks.exe
2320	schtasks.exe
1540	schtasks.exe
2604	schtasks.exe
468	schtasks.exe
2432	schtasks.exe
2632	schtasks.exe
2572	schtasks.exe
2840	schtasks.exe
2824	schtasks.exe
1920	schtasks.exe
2224	schtasks.exe
3052	schtasks.exe
1012	schtasks.exe
2968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

pid	Process
572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
2380	powershell.exe
804	powershell.exe
1480	powershell.exe
2832	powershell.exe
2072	powershell.exe
1764	powershell.exe
2588	powershell.exe
2180	powershell.exe
2664	powershell.exe
2212	powershell.exe
1284	powershell.exe
3060	powershell.exe
2892	lsm.exe
580	lsm.exe
3040	lsm.exe
948	lsm.exe
1056	lsm.exe
3008	lsm.exe
1764	lsm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2892	lsm.exe
Token: SeDebugPrivilege	580	lsm.exe
Token: SeDebugPrivilege	3040	lsm.exe
Token: SeDebugPrivilege	948	lsm.exe
Token: SeDebugPrivilege	1056	lsm.exe
Token: SeDebugPrivilege	3008	lsm.exe
Token: SeDebugPrivilege	1764	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.execmd.exelsm.exeWScript.exelsm.exeWScript.exelsm.exe

description	pid	Process	procid_target
PID 572 wrote to memory of 3060	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	76
PID 572 wrote to memory of 3060	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	76
PID 572 wrote to memory of 3060	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	76
PID 572 wrote to memory of 2380	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	77
PID 572 wrote to memory of 2380	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	77
PID 572 wrote to memory of 2380	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	77
PID 572 wrote to memory of 804	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	78
PID 572 wrote to memory of 804	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	78
PID 572 wrote to memory of 804	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	78
PID 572 wrote to memory of 2180	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	79
PID 572 wrote to memory of 2180	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	79
PID 572 wrote to memory of 2180	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	79
PID 572 wrote to memory of 2664	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	81
PID 572 wrote to memory of 2664	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	81
PID 572 wrote to memory of 2664	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	81
PID 572 wrote to memory of 1480	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	82
PID 572 wrote to memory of 1480	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	82
PID 572 wrote to memory of 1480	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	82
PID 572 wrote to memory of 1764	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	84
PID 572 wrote to memory of 1764	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	84
PID 572 wrote to memory of 1764	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	84
PID 572 wrote to memory of 2588	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	85
PID 572 wrote to memory of 2588	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	85
PID 572 wrote to memory of 2588	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	85
PID 572 wrote to memory of 2212	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	86
PID 572 wrote to memory of 2212	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	86
PID 572 wrote to memory of 2212	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	86
PID 572 wrote to memory of 2832	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	88
PID 572 wrote to memory of 2832	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	88
PID 572 wrote to memory of 2832	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	88
PID 572 wrote to memory of 1284	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	90
PID 572 wrote to memory of 1284	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	90
PID 572 wrote to memory of 1284	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	90
PID 572 wrote to memory of 2072	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	91
PID 572 wrote to memory of 2072	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	91
PID 572 wrote to memory of 2072	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	91
PID 572 wrote to memory of 832	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	100
PID 572 wrote to memory of 832	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	100
PID 572 wrote to memory of 832	572	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe	100
PID 832 wrote to memory of 1968	832	cmd.exe	102
PID 832 wrote to memory of 1968	832	cmd.exe	102
PID 832 wrote to memory of 1968	832	cmd.exe	102
PID 832 wrote to memory of 2892	832	cmd.exe	103
PID 832 wrote to memory of 2892	832	cmd.exe	103
PID 832 wrote to memory of 2892	832	cmd.exe	103
PID 2892 wrote to memory of 2128	2892	lsm.exe	104
PID 2892 wrote to memory of 2128	2892	lsm.exe	104
PID 2892 wrote to memory of 2128	2892	lsm.exe	104
PID 2892 wrote to memory of 2860	2892	lsm.exe	105
PID 2892 wrote to memory of 2860	2892	lsm.exe	105
PID 2892 wrote to memory of 2860	2892	lsm.exe	105
PID 2128 wrote to memory of 580	2128	WScript.exe	106
PID 2128 wrote to memory of 580	2128	WScript.exe	106
PID 2128 wrote to memory of 580	2128	WScript.exe	106
PID 580 wrote to memory of 2852	580	lsm.exe	107
PID 580 wrote to memory of 2852	580	lsm.exe	107
PID 580 wrote to memory of 2852	580	lsm.exe	107
PID 580 wrote to memory of 1988	580	lsm.exe	108
PID 580 wrote to memory of 1988	580	lsm.exe	108
PID 580 wrote to memory of 1988	580	lsm.exe	108
PID 2852 wrote to memory of 3040	2852	WScript.exe	109
PID 2852 wrote to memory of 3040	2852	WScript.exe	109
PID 2852 wrote to memory of 3040	2852	WScript.exe	109
PID 3040 wrote to memory of 2104	3040	lsm.exe	110

System policy modification 1 TTPs 24 IoCs

evasion

Modify Registry

T1112

Processes:

ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exelsm.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe
"C:\Users\Admin\AppData\Local\Temp\ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s9W2tFAszy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1968
- - C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
    "C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2892
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50555dd6-f050-4ace-a014-db8f26b705ae.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:580
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f0b065d-8b2f-4fb9-b1b0-84ce9efe6650.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19fb223f-8217-4245-a906-283197f3a51c.vbs"
        8⤵
        
        PID:2104
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f357053-0e8c-406b-91b9-c2d8f812e753.vbs"
        10⤵
        
        PID:1576
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d12c4c94-ba11-4437-8338-7db9e97231b1.vbs"
        12⤵
        
        PID:2900
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce3a2f48-d4d3-4903-b312-e481321cc460.vbs"
        14⤵
        
        PID:700
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        
        C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\259a87cc-5246-444a-80c3-4259508ef557.vbs"
        16⤵
        
        PID:2204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e178b113-e8ac-4c44-84b9-b091e8821c1b.vbs"
        16⤵
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ed12a9d-5741-4c92-8aff-8b5d02ca82ed.vbs"
        14⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\259fba58-66c4-4cf7-b643-361437e4f54c.vbs"
        12⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9608e63-4271-467a-9108-31a3c11b8c38.vbs"
        10⤵
        
        PID:1104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4551c20d-158e-4d2e-9e00-ff68fc3d0066.vbs"
        8⤵
        
        PID:2348
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5163c490-ded8-48d7-9887-9f749edbf071.vbs"
        6⤵
        
        PID:1988
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf47e2bb-abe8-46be-8a9e-0f03606af9b1.vbs"
      4⤵
      PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\system\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RCXBD7C.tmp

Filesize
4.9MB

MD5
697c391926a9a93957e5793ef056c4db

SHA1
1c66c52cd33d9ed9ad88efa4a0b1640beead4b2d

SHA256
3bbbaf77ce5cdf3c0a079249dc95b097ad13378ef07c074dbce6f907f6183ddf

SHA512
bb99f7ca370f6de601ed881d19b36f4c41bc63108f249d341cb63b0fb8fadbc88248a3a48ac1fcef6de964bcbb6f88c62bb4a151f78b00c41b30446b64032b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\19fb223f-8217-4245-a906-283197f3a51c.vbs

Filesize
768B

MD5
57a945d1d3f664a02083d25061046ea0

SHA1
443eec46821b5871ca04011ebe9172e96142ce6c

SHA256
cc67b44f305c255a6f391053f72c936b489d5fdd28e7e1ee5c3db936071a94f6

SHA512
0e8e539c13503cd2b30f8782ca7514e324759008db369d7fd774dea9c7200bd0206d99dc67ef8f06635b168c836d98ab0d31c701168bf96ffde19a2a6a8200f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\259a87cc-5246-444a-80c3-4259508ef557.vbs

Filesize
768B

MD5
d1e183ce25fa9decd9eda86107903c48

SHA1
3158d9e584c8efed13b7816f01b60cb896df7d18

SHA256
dbe94f7c4711950174089e5085aec38f10a26b1f460b37a24acc99953b4aba6a

SHA512
b3802eb1c0a60ecb054e714e97e3f88eb6d59e1bcb878857d5088d7b4972262175770c40d7aafb05ce18be62ac7b30133e6ab12a35633b144b083461d7305ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\50555dd6-f050-4ace-a014-db8f26b705ae.vbs

Filesize
768B

MD5
2e7c1cc70c73a0bb6737976a28f8e3dd

SHA1
3d2e3a74a513b024de8ee8b9cd02b342837f5338

SHA256
e5a12e59d5a39563dce8b2b013650c5b2a8769b60a75ef938d8b36b6bed853f8

SHA512
4444640997290f2ccdbe6b941a700ac7813d30169f196cf7188010ad3e48f11dd5a25e92cc2be4a8f3ffdfe3fef39a11779c865b7eff0d839eca3547903998bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f357053-0e8c-406b-91b9-c2d8f812e753.vbs

Filesize
767B

MD5
9881a66eac5731653d67f2708d91b3e1

SHA1
5e40d546261ad7bddd221a7a295cb6cd30f0a037

SHA256
3235b06e868c5b2f55ef7605418ee6e002d19061bdab78485d03130738e40963

SHA512
c324ec6286a38c03386dfbd409b2b9ab0d846719a2d8e3bffec40dc4bcea6852fc34284c3c4f96e69ff24e5f6bd0a79b0ef6edccc837ac13a3cddfaea9d8316b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f0b065d-8b2f-4fb9-b1b0-84ce9efe6650.vbs

Filesize
767B

MD5
d49744be328da38ac0c7f8a90dee64e1

SHA1
1506c5f6ec3f6c58c95badc2b57550b7435715b1

SHA256
9f6dc2223771811f3e8aaf001de64e0e97677b8afcb2fd8773991bcff350f494

SHA512
20551739e0c9eb7bd222c9251991c98313cae6e3286f38d53b6e9b459db5052829daa2f0c64742cac0797b8ba0ed40c6729700fd11d8979f49282464e99540f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3a2f48-d4d3-4903-b312-e481321cc460.vbs

Filesize
768B

MD5
e0ed47f9186dc750ad854ae7661df067

SHA1
6401f916353a6346be8e5618dcde3e321103aab3

SHA256
aea3c48b40882f399aecdb1218ef794568e3966ddcb1728e61489d0edf73a783

SHA512
4dc90a65e4082ecf38e0f6fd098534f72032226d38a9bc209a33356d57fd72bf29aa3c75211b230f541e0381d27efb4bb6a0bea6eb52aaa1fd9744ea884cba60

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf47e2bb-abe8-46be-8a9e-0f03606af9b1.vbs

Filesize
544B

MD5
29ce0bd83bba0a6d434829fd55010ab1

SHA1
880d7ab288b8349ccd96eaca74e9c4915b8d577c

SHA256
0243c0dfb396ccf852ef892145b767f894903430409e050bcd33d9d92502fb18

SHA512
6a2fd6ebe7ba8d91e96f0ae90c36b2144ba1c1b8134a78e38abdc3bb1c4aae69bec745cf1d2b6b4f769b0074946a3025a656f23243a38ca51b1aa85957f7196c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d12c4c94-ba11-4437-8338-7db9e97231b1.vbs

Filesize
768B

MD5
5e9dcbb071b3a666134dbc79cedf3a60

SHA1
0b718c738b89a3438350786b3a4b4f32f38dc7b4

SHA256
1c2a15f42625a9b3abeab7afe1cb2656358ef5dfe5f73402e64b1bd7bb0dc3df

SHA512
38231cd659bd579a2707e777a7f420b9679a3cd7ec85dcd5306d16e68a3631e1d2a89728bea9fc046b2751cf6669f71537e82c1416e19cd15fab7889ed01f828

Download Submit
C:\Users\Admin\AppData\Local\Temp\s9W2tFAszy.bat

Filesize
257B

MD5
db90dfc97f853accd374e34318bb499e

SHA1
0cc90b19cfefce97ddc1af3c50fb4f91811a940e

SHA256
345b30ad11922b241a66651dddfd4767bd15498aa4d483a0162a8b815b8bcb21

SHA512
4afffa72b84fba7fc48c815b8b69ebe382003b86fd5a215e44f86155a0f58618bf1ff03272ce4cc3ff715fa2a4d64810027fd90909252540f2199f7aa334180a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD14.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5CGTAIF58BSHK0BB5UHM.temp

Filesize
7KB

MD5
49add2ccf6487cdbddd593ff46d8886a

SHA1
772c45894f8e858fe0507cde4eb573d402559227

SHA256
f621752b2a9046a99298c5b0da768da4ce9781bdbc5d1f36d27a794fd321c246

SHA512
8ca5aab437f9c39b3ba7a8d9e02210077dc7c18eeaabb9421694a9e0a3b68beab7c739ad78c43d4dbb7f500f65ef472458fca40833bc5da5368c28a2ca2ac32a

Download Submit
C:\Windows\Prefetch\taskhost.exe

Filesize
4.9MB

MD5
7036b30146fb317c8aaa24effa7f79c0

SHA1
e5887a7e997c2c2896d15bfa03169421ef8900ae

SHA256
ef62583268f98c6f0aa4b94dd9f82d5efd2ff85032412f2fd8e85d7d50b8b2a1

SHA512
fe3eb8589494b37527462fba8d588055a5145e3a5c9d5f974d31ee98b636ae5ed7fe850681c0ba7564f8d24bf4f8947923da1e2194ec404300e2269a0d7d0669

Download Submit
memory/572-114-0x000007FEF4E20000-0x000007FEF580C000-memory.dmp

Filesize
9.9MB

Download
memory/572-16-0x0000000002480000-0x000000000248C000-memory.dmp

Filesize
48KB

Download
memory/572-14-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/572-9-0x0000000002390000-0x000000000239A000-memory.dmp

Filesize
40KB

Download
memory/572-13-0x00000000023D0000-0x00000000023DE000-memory.dmp

Filesize
56KB

Download
memory/572-12-0x00000000023C0000-0x00000000023CE000-memory.dmp

Filesize
56KB

Download
memory/572-99-0x000007FEF4E23000-0x000007FEF4E24000-memory.dmp

Filesize
4KB

Download
memory/572-0-0x000007FEF4E23000-0x000007FEF4E24000-memory.dmp

Filesize
4KB

Download
memory/572-11-0x00000000023B0000-0x00000000023BA000-memory.dmp

Filesize
40KB

Download
memory/572-211-0x000007FEF4E20000-0x000007FEF580C000-memory.dmp

Filesize
9.9MB

Download
memory/572-10-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/572-3-0x000007FEF4E20000-0x000007FEF580C000-memory.dmp

Filesize
9.9MB

Download
memory/572-2-0x000000001B5E0000-0x000000001B70E000-memory.dmp

Filesize
1.2MB

Download
memory/572-4-0x0000000000970000-0x000000000098C000-memory.dmp

Filesize
112KB

Download
memory/572-15-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/572-8-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/572-7-0x00000000009C0000-0x00000000009D6000-memory.dmp

Filesize
88KB

Download
memory/572-5-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/572-6-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/572-1-0x00000000001B0000-0x00000000006A4000-memory.dmp

Filesize
5.0MB

Download
memory/580-234-0x0000000000B00000-0x0000000000FF4000-memory.dmp

Filesize
5.0MB

Download
memory/948-264-0x0000000000D10000-0x0000000001204000-memory.dmp

Filesize
5.0MB

Download
memory/1056-279-0x0000000001330000-0x0000000001824000-memory.dmp

Filesize
5.0MB

Download
memory/1764-308-0x0000000000BC0000-0x00000000010B4000-memory.dmp

Filesize
5.0MB

Download
memory/2072-189-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2380-210-0x00000000026A0000-0x00000000026A8000-memory.dmp

Filesize
32KB

Download
memory/2892-220-0x0000000000030000-0x0000000000524000-memory.dmp

Filesize
5.0MB

Download
memory/3040-249-0x00000000001A0000-0x0000000000694000-memory.dmp

Filesize
5.0MB

Download