dcrat | 5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
Size

4.9MB
MD5

1ee8e7191df743349bbc4bcd6e3570a0
SHA1

aafd7860457e3a7ff9b53457e9c30451785fba60
SHA256

5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3
SHA512

fc08546b960bd11a31f76628a5eacaf4c811d312ccca0121f7a18f01f578360b07ff38193e55f46ccb8429ee73d224532cfcab3511831be4722072d13e73e10d
SSDEEP

49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2640	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2640	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exedllhost.exedllhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2856-2-0x000000001B3C0000-0x000000001B4EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2076	powershell.exe
3064	powershell.exe
2188	powershell.exe
2028	powershell.exe
2556	powershell.exe
2344	powershell.exe
2760	powershell.exe
2924	powershell.exe
400	powershell.exe
2940	powershell.exe
1896	powershell.exe
3060	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	Process
1620	dllhost.exe
1780	dllhost.exe
1600	dllhost.exe
2924	dllhost.exe
3008	dllhost.exe
1072	dllhost.exe
2984	dllhost.exe
900	dllhost.exe
1736	dllhost.exe
948	dllhost.exe
2320	dllhost.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exedllhost.exedllhost.exedllhost.exedllhost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe

description	ioc	Process
File created	C:\Program Files\Google\Chrome\lsass.exe	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
File created	C:\Program Files\Google\Chrome\6203df4a6bafc7	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
File opened for modification	C:\Program Files\Google\Chrome\RCX7D7E.tmp	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
File opened for modification	C:\Program Files\Google\Chrome\lsass.exe	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe

Drops file in Windows directory 8 IoCs

Processes:

5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe

description	ioc	Process
File opened for modification	C:\Windows\Help\Help\de-DE\RCX9107.tmp	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
File opened for modification	C:\Windows\Help\Help\de-DE\spoolsv.exe	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
File created	C:\Windows\Branding\Basebrd\audiodg.exe	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
File opened for modification	C:\Windows\Branding\Basebrd\audiodg.exe	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
File created	C:\Windows\Branding\Basebrd\42af1c969fbb7b	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
File created	C:\Windows\Help\Help\de-DE\spoolsv.exe	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
File created	C:\Windows\Help\Help\de-DE\f3b6ecef712a24	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
File opened for modification	C:\Windows\Branding\Basebrd\RCX7698.tmp	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
264	schtasks.exe
1928	schtasks.exe
2948	schtasks.exe
1604	schtasks.exe
1508	schtasks.exe
1696	schtasks.exe
1608	schtasks.exe
2412	schtasks.exe
1496	schtasks.exe
956	schtasks.exe
772	schtasks.exe
2680	schtasks.exe
1548	schtasks.exe
2952	schtasks.exe
2564	schtasks.exe
1356	schtasks.exe
1444	schtasks.exe
1904	schtasks.exe
1768	schtasks.exe
2208	schtasks.exe
752	schtasks.exe
340	schtasks.exe
528	schtasks.exe
1912	schtasks.exe
1976	schtasks.exe
1128	schtasks.exe
2460	schtasks.exe
1268	schtasks.exe
3016	schtasks.exe
1660	schtasks.exe
2428	schtasks.exe
668	schtasks.exe
1784	schtasks.exe
2636	schtasks.exe
2704	schtasks.exe
3064	schtasks.exe
2652	schtasks.exe
2672	schtasks.exe
1732	schtasks.exe
2032	schtasks.exe
1308	schtasks.exe
1772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	Process
2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
1896	powershell.exe
2556	powershell.exe
2760	powershell.exe
2028	powershell.exe
3064	powershell.exe
2188	powershell.exe
2940	powershell.exe
2344	powershell.exe
2076	powershell.exe
2924	powershell.exe
400	powershell.exe
3060	powershell.exe
1620	dllhost.exe
1780	dllhost.exe
1600	dllhost.exe
2924	dllhost.exe
3008	dllhost.exe
1072	dllhost.exe
2984	dllhost.exe
900	dllhost.exe
1736	dllhost.exe
948	dllhost.exe
2320	dllhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1620	dllhost.exe
Token: SeDebugPrivilege	1780	dllhost.exe
Token: SeDebugPrivilege	1600	dllhost.exe
Token: SeDebugPrivilege	2924	dllhost.exe
Token: SeDebugPrivilege	3008	dllhost.exe
Token: SeDebugPrivilege	1072	dllhost.exe
Token: SeDebugPrivilege	2984	dllhost.exe
Token: SeDebugPrivilege	900	dllhost.exe
Token: SeDebugPrivilege	1736	dllhost.exe
Token: SeDebugPrivilege	948	dllhost.exe
Token: SeDebugPrivilege	2320	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.execmd.exedllhost.exeWScript.exedllhost.exeWScript.exedllhost.exe

description	pid	Process	procid_target
PID 2856 wrote to memory of 2188	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	73
PID 2856 wrote to memory of 2188	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	73
PID 2856 wrote to memory of 2188	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	73
PID 2856 wrote to memory of 2028	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	74
PID 2856 wrote to memory of 2028	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	74
PID 2856 wrote to memory of 2028	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	74
PID 2856 wrote to memory of 2556	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	75
PID 2856 wrote to memory of 2556	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	75
PID 2856 wrote to memory of 2556	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	75
PID 2856 wrote to memory of 400	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	76
PID 2856 wrote to memory of 400	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	76
PID 2856 wrote to memory of 400	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	76
PID 2856 wrote to memory of 2344	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	77
PID 2856 wrote to memory of 2344	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	77
PID 2856 wrote to memory of 2344	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	77
PID 2856 wrote to memory of 2940	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	78
PID 2856 wrote to memory of 2940	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	78
PID 2856 wrote to memory of 2940	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	78
PID 2856 wrote to memory of 1896	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	79
PID 2856 wrote to memory of 1896	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	79
PID 2856 wrote to memory of 1896	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	79
PID 2856 wrote to memory of 3060	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	80
PID 2856 wrote to memory of 3060	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	80
PID 2856 wrote to memory of 3060	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	80
PID 2856 wrote to memory of 2760	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	82
PID 2856 wrote to memory of 2760	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	82
PID 2856 wrote to memory of 2760	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	82
PID 2856 wrote to memory of 2076	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	83
PID 2856 wrote to memory of 2076	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	83
PID 2856 wrote to memory of 2076	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	83
PID 2856 wrote to memory of 3064	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	84
PID 2856 wrote to memory of 3064	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	84
PID 2856 wrote to memory of 3064	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	84
PID 2856 wrote to memory of 2924	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	85
PID 2856 wrote to memory of 2924	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	85
PID 2856 wrote to memory of 2924	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	85
PID 2856 wrote to memory of 3008	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	97
PID 2856 wrote to memory of 3008	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	97
PID 2856 wrote to memory of 3008	2856	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe	97
PID 3008 wrote to memory of 772	3008	cmd.exe	99
PID 3008 wrote to memory of 772	3008	cmd.exe	99
PID 3008 wrote to memory of 772	3008	cmd.exe	99
PID 3008 wrote to memory of 1620	3008	cmd.exe	100
PID 3008 wrote to memory of 1620	3008	cmd.exe	100
PID 3008 wrote to memory of 1620	3008	cmd.exe	100
PID 1620 wrote to memory of 2632	1620	dllhost.exe	101
PID 1620 wrote to memory of 2632	1620	dllhost.exe	101
PID 1620 wrote to memory of 2632	1620	dllhost.exe	101
PID 1620 wrote to memory of 3068	1620	dllhost.exe	102
PID 1620 wrote to memory of 3068	1620	dllhost.exe	102
PID 1620 wrote to memory of 3068	1620	dllhost.exe	102
PID 2632 wrote to memory of 1780	2632	WScript.exe	103
PID 2632 wrote to memory of 1780	2632	WScript.exe	103
PID 2632 wrote to memory of 1780	2632	WScript.exe	103
PID 1780 wrote to memory of 2988	1780	dllhost.exe	105
PID 1780 wrote to memory of 2988	1780	dllhost.exe	105
PID 1780 wrote to memory of 2988	1780	dllhost.exe	105
PID 1780 wrote to memory of 1996	1780	dllhost.exe	106
PID 1780 wrote to memory of 1996	1780	dllhost.exe	106
PID 1780 wrote to memory of 1996	1780	dllhost.exe	106
PID 2988 wrote to memory of 1600	2988	WScript.exe	107
PID 2988 wrote to memory of 1600	2988	WScript.exe	107
PID 2988 wrote to memory of 1600	2988	WScript.exe	107
PID 1600 wrote to memory of 2080	1600	dllhost.exe	108

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

Processes:

dllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exedllhost.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe
"C:\Users\Admin\AppData\Local\Temp\5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VuTDFz0U9E.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:772
- - C:\Users\All Users\Documents\dllhost.exe
    "C:\Users\All Users\Documents\dllhost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1620
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c3e21d8-b8b1-4432-91fb-66440deb0430.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1780
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6374f485-2a7c-466c-8e50-c5271a2e7950.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49f5c738-a9e5-4a83-b6ca-992c12f9a141.vbs"
        8⤵
        
        PID:2080
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6d0f389-b58b-45b5-bfab-533bab92a6f8.vbs"
        10⤵
        
        PID:2200
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0426a767-3fb8-41ad-a010-36fd41c4f6da.vbs"
        12⤵
        
        PID:296
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8675ff24-44b4-4a16-9427-7c17f614b06d.vbs"
        14⤵
        
        PID:1604
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a0c9c48-5f65-43b9-a732-177c7bc8a019.vbs"
        16⤵
        
        PID:1932
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5a5994a-2fb1-4d45-a3ee-445014653e52.vbs"
        18⤵
        
        PID:2936
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\183f5d1f-d4df-4f6d-aefd-9ac36cd73f09.vbs"
        20⤵
        
        PID:1808
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8ef0252-75b9-4290-8c9e-780d64abc5f4.vbs"
        22⤵
        
        PID:1724
        
        C:\Users\All Users\Documents\dllhost.exe
        
        "C:\Users\All Users\Documents\dllhost.exe"
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63eda4a8-f9f5-46fa-a0ae-397a779f4939.vbs"
        24⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47ba81b5-08db-44bf-98e8-da64c8460f36.vbs"
        24⤵
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c8c120-6df3-465a-8977-fd334f81b358.vbs"
        22⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdec804b-04d6-4131-b46d-dee1be99cc09.vbs"
        20⤵
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fe96fb5-d864-4123-b1a3-fd2eec871004.vbs"
        18⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2376e1c5-ac3a-4eba-9233-70321d33061f.vbs"
        16⤵
        
        PID:844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\468c5a2b-e3b3-4f4d-b5a3-f4849628af01.vbs"
        14⤵
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdc29757-9c3f-476b-8595-ca1742465990.vbs"
        12⤵
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c8ce24-5306-4dbb-a46f-ad7ab82755a1.vbs"
        10⤵
        
        PID:552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\750dfaa8-20d1-43cd-9e60-58b800cfaeaa.vbs"
        8⤵
        
        PID:1696
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a409426-45c7-48d2-ac3c-33f8b22e1d42.vbs"
        6⤵
        
        PID:1996
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa0f15ef-1256-41d1-88d6-c41330ed9bc7.vbs"
      4⤵
      PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\Basebrd\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Help\Help\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Help\Help\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Help\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe

Filesize
4.9MB

MD5
1ee8e7191df743349bbc4bcd6e3570a0

SHA1
aafd7860457e3a7ff9b53457e9c30451785fba60

SHA256
5f86384891b455ddb5d94b659c947ad67b76b282fcb268f12a31a2f3005b19a3

SHA512
fc08546b960bd11a31f76628a5eacaf4c811d312ccca0121f7a18f01f578360b07ff38193e55f46ccb8429ee73d224532cfcab3511831be4722072d13e73e10d

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\RCX886C.tmp

Filesize
4.9MB

MD5
3b57a0f6c8173bf93551709c3a66263a

SHA1
616890ab70110fc91b154540e299278bd9cd0a07

SHA256
0b7f4880a6d3040654703943d4097aec564a1c8509d22fbd5a569556541fb58c

SHA512
7688b45b5ec25e25447181633caff438b9f8cddf16495f2bcb2eacf9ad5cceb04c839edc20864b7060b382704677e8cb5f1c40c7153ee55cd9cfdba9f44a0643

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe

Filesize
4.9MB

MD5
ce5845253f9954a423bc1557884b43e8

SHA1
3316d0558c4811e2fecaf72416bba47e3367be64

SHA256
844cd50049c493ba9a74ac19537a7012aa95e583482f2aa2ab4b40a0d1dcfc12

SHA512
d9fa009ef7aa12980f9167f06c4269e6d935ff30fca7298e2c30c2d8c9e319cebc3da85e52f125e21dc442082d4076492fb64168a34bc7fbe2b3953e01dc7f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\0426a767-3fb8-41ad-a010-36fd41c4f6da.vbs

Filesize
716B

MD5
54cf2e2cff5a97477677bd236dd44e66

SHA1
afb7bf2d9ba13ca060deab0aa02715392715bb45

SHA256
8e6c4cd1807381aa64ec1ac885a288d74910b673b752405bc043b9ac3d772c61

SHA512
60df516529f806ca6994a3a6c1a3d2c28c8c9b8aa76a07410429c0c867f9a6c087ba3d37b82e72fa88485d09be493057e593fb299f124cc62e62fdae61e1f8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\183f5d1f-d4df-4f6d-aefd-9ac36cd73f09.vbs

Filesize
716B

MD5
a5a4d151a86f314dbbeaacd1a38a039e

SHA1
fd8e225b7c92bbdc9de9f0800ba3e9e8f8f6d730

SHA256
893e3930f76bb1dc681f208c809deca00667d9b3b41b795a057557ae996ddc96

SHA512
05d0d0028c44934f406b8638ed62db8c00ae63f56b8c830c3f98cecf1ce3dba0b82f3bced7050df463dcdf354d1c9c9bce7aa722b6a0477fb97e22f0e72a551d

Download Submit
C:\Users\Admin\AppData\Local\Temp\49f5c738-a9e5-4a83-b6ca-992c12f9a141.vbs

Filesize
716B

MD5
8afeafa92229c184379cbb5e7899a942

SHA1
fe8243c4d0525cf7d660104ee1ee843874084c85

SHA256
533c47513d678e0d40a5b9ca3be1a4b6f903f98adb0538f2bd2a9cfcd458653e

SHA512
f1365b8fb77d59bc11aaf3adc8dae324d6ee4d4ad9d34848834bcc3b825f926435f08f553a3800e6f584522fced7abbda7cf468b0df615ded83cd673310ff961

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a0c9c48-5f65-43b9-a732-177c7bc8a019.vbs

Filesize
716B

MD5
80e54bbfc6a02d2c88451d1914cbd7bc

SHA1
189c7bee8ac002f0e080139655a4aa3627730e50

SHA256
4f9f3d2171d8d7b46066d9fbed91c3b8efe5498f425a84f2b83898d3e40e4180

SHA512
2afb60df9400d32822875fc2d0671782cf32eee1e32587dfef71181323d2a16581ccce70efa841a702a49ae95cd54c642bf9f14564c8ac91aacc371b0468cac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c3e21d8-b8b1-4432-91fb-66440deb0430.vbs

Filesize
716B

MD5
fefe798a1371dd4602c8a897d922a7c0

SHA1
c9728194c071912ed2403e1bbb51fd7883f39993

SHA256
99ac0af869da9e9b37a0b426f6e0c89f34fe66bdb4d1e20380e59729ac3e407d

SHA512
6da03257529e3c3f075220c0c1158e5a01dbf3b6d8d3a1f3f6a2469cdcd7c3f29e38d3505564543422128075e819ec965f9ba84470b375599a984870f7f1b468

Download Submit
C:\Users\Admin\AppData\Local\Temp\6374f485-2a7c-466c-8e50-c5271a2e7950.vbs

Filesize
716B

MD5
62be019701e40ce0f6041a86ee18e047

SHA1
83ab296f6aeda98286417e24b1957fdcf78acbee

SHA256
b415ff3800312efbb7eb0ade770e2968b66a1ee1574a2983fa26907722f17aa3

SHA512
590995b68d193b7ae7f09827ae75941542f1cdfccf9df5ee2ee94fb7baa408329ab1de7cbd443e7b0de9362c0474afe6adf350d1f5c7c5b8cefd9c63a01e95e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\63eda4a8-f9f5-46fa-a0ae-397a779f4939.vbs

Filesize
716B

MD5
cd2424978563aa30639b30650b3ad350

SHA1
d8beb4ad2669772b0196415eee3e264769c558a8

SHA256
fc4111947ff61f496f665e551562ac63d6aaf131bb547e0b02fe115bea92002a

SHA512
904f2600da70a3d06d009ddfd3ef5e2aafdefb6432c4074794e2725fc888cc5a1526da2279d6fada4d6b81246ede08c828601a8ff3fe0dba0b1eef80dc283a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\8675ff24-44b4-4a16-9427-7c17f614b06d.vbs

Filesize
716B

MD5
d1ebb1bf4103192dbd7ed8936ed0dac4

SHA1
eb605a4ef12b59670b4c68bbb5876c53084cb425

SHA256
b6031f6658a4b81b800477721cd23f4d433460fa9f86b0bbbeec1cb90d6ae340

SHA512
03ae7884bc39f64d2147b1bd8c9d88abf3ab21df40d65dd60ed420e457daa12ee1dd6f202e9d5209c45582cc89a4c169e307808aaa79dcaadf8acba96a604719

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuTDFz0U9E.bat

Filesize
205B

MD5
7d86c07ede901f751481192f831d67d1

SHA1
10796207783e59e394da15f910610f16fc85a4a5

SHA256
f236441f8224d7bd887d22caa3391d755a873e34372ed0427cb997d6147d40c1

SHA512
cd04bfe8cee8c1487cd88472a999440e8cd1b6d03a54fb51c92fc73580bfe331ffff10a4f54adb1163c01fbc69d0d231c7aa1f8b6f359288938673535a280f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5a5994a-2fb1-4d45-a3ee-445014653e52.vbs

Filesize
715B

MD5
57f46abf693ec7c2dac56988004099e6

SHA1
991a19f557e72992b571c950ea851453ef1f6c7f

SHA256
55abfccb7614ac53cb3f06d0474daf16d3cdd11ca7380eef3ce95e97322748ec

SHA512
9632f53f4378e7170e46e4b802cc5920c12cf90e29e54c2e5a75fc05cd464b4bed63bc242c1c9924e62930110645643a3776eafbbe7bdfd5dc2073ca8d17bd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa0f15ef-1256-41d1-88d6-c41330ed9bc7.vbs

Filesize
492B

MD5
1ee57eb5a3c00a0480406f640204d806

SHA1
acbcb1eaf7ce66d86d1e73e17a2539e66a347853

SHA256
dd9cd80b9076121a65f86aa0b63580e494da487786eb798cdb8b3afff2b23b59

SHA512
d8dffad26dd8b442294fc7e93f2f2cc0d546fa2ee32e92bdf6bd4b4648f171f84b4a5e4635aa3a21c2b157f9bd9a3ff335c1d6fad7d0fa16a99740f440ef495b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8ef0252-75b9-4290-8c9e-780d64abc5f4.vbs

Filesize
715B

MD5
66d3f8512381364f2bd2f9cb92736ec9

SHA1
b3c57dbb86ec458bb2993c72d96269cb234a6213

SHA256
e4cbcbaa72073414d00b187634032ea9449674f545a955fb69564fbe9fceb369

SHA512
8e42544f7432c16446e0eb9b4c78a771b292adb55feeb79233817eb099eed1005daa3491b765bfa2976429be9d018c4d22de918078c321fb0fddd73f7c9d4df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6d0f389-b58b-45b5-bfab-533bab92a6f8.vbs

Filesize
716B

MD5
042e63d9cd8bf3722afd1db026763543

SHA1
015eb71564dbe99485d29a22adbde017e55539b1

SHA256
f8cb8a2baa68bdc21e355f238eb2a264479016909ad9d1aa9fa11256dd4a20a9

SHA512
86a17a69d6042d600a4b69237bcaa79be087675278216d1998f2e42414989ab02f68c7becd1689b162b033d16b063f53e559c3643da2605edeb4c14c148004ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC1E.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eb72b5f99de0493c4a238c54ba1921a9

SHA1
8f6756621e2a0ca556db8f6c6c0008c6d5997aa6

SHA256
7fd46188fe133578e3bce52411e8c6dc860cbed174ef2983aee4f2035a7b4cae

SHA512
0f6c1340b5bd6e94392dcb0689dc8b8e93bd31a1927ca4791f0944dfc46c7ba3f1be7c4c82847e841fc31bbc0898fd8b1618a9a595c4258ee752b52e04e6a53d

Download Submit
C:\Users\Public\Documents\dllhost.exe

Filesize
4.9MB

MD5
557751ec0fda4ebfd7048a6ea7fce4a7

SHA1
c0b7b835c68d429071502ed5508a6eb433b13de6

SHA256
152bfd1bfdd4fed8111138b96447ff7dd068206dfcfd055fbb867bf1acf576c7

SHA512
f8d238b4973d1bc76940763779bc8901d1baf20c89ea629c52257153544c39cb1c8c32bcb48858aaf6ce7966a91121bbcf3387d3d79fa880c0d64a175048525b

Download Submit
memory/900-312-0x0000000000010000-0x0000000000504000-memory.dmp

Filesize
5.0MB

Download
memory/1072-282-0x0000000000320000-0x0000000000814000-memory.dmp

Filesize
5.0MB

Download
memory/1600-239-0x0000000001280000-0x0000000001774000-memory.dmp

Filesize
5.0MB

Download
memory/1620-209-0x0000000000E40000-0x0000000001334000-memory.dmp

Filesize
5.0MB

Download
memory/1736-327-0x0000000000D50000-0x0000000001244000-memory.dmp

Filesize
5.0MB

Download
memory/1780-223-0x0000000000280000-0x0000000000774000-memory.dmp

Filesize
5.0MB

Download
memory/1780-224-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1896-173-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2320-356-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2760-162-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2856-10-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/2856-14-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/2856-204-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-1-0x00000000010F0000-0x00000000015E4000-memory.dmp

Filesize
5.0MB

Download
memory/2856-9-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/2856-16-0x0000000001030000-0x000000000103C000-memory.dmp

Filesize
48KB

Download
memory/2856-15-0x0000000001020000-0x0000000001028000-memory.dmp

Filesize
32KB

Download
memory/2856-13-0x0000000000F00000-0x0000000000F0E000-memory.dmp

Filesize
56KB

Download
memory/2856-12-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/2856-11-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/2856-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

Filesize
4KB

Download
memory/2856-183-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-142-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

Filesize
4KB

Download
memory/2856-8-0x0000000000D90000-0x0000000000DA0000-memory.dmp

Filesize
64KB

Download
memory/2856-7-0x0000000000E20000-0x0000000000E36000-memory.dmp

Filesize
88KB

Download
memory/2856-6-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/2856-5-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2856-4-0x0000000000D70000-0x0000000000D8C000-memory.dmp

Filesize
112KB

Download
memory/2856-3-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-2-0x000000001B3C0000-0x000000001B4EE000-memory.dmp

Filesize
1.2MB

Download
memory/2984-297-0x0000000001150000-0x0000000001644000-memory.dmp

Filesize
5.0MB

Download