dcrat | e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80

Analysis

max time kernel
115s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Size

1.8MB
MD5

a2e72e24af123d7c43c0b2a998f829f0
SHA1

31d2f614def3942ca91743f6006ff1dc90f1ce94
SHA256

e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80
SHA512

1a3df078ec2c913ea60b091ef2e7e46cd30c742d0a4325d11412d58b432474a1d7f2cd86e549ee6dc27a1f776c2eed88092874205ac98d463765bd13db867d9b
SSDEEP

49152:OhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:OgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	32	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	32	schtasks.exe

UAC bypass 3 TTPs 21 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/916-1-0x0000000000AF0000-0x0000000000CBE000-memory.dmp	dcrat
C:\Users\Default\services.exe	dcrat
C:\Users\Public\Music\sysmon.exe	dcrat
C:\Recovery\WindowsRE\Registry.exe	dcrat
C:\Users\Default\sihost.exe	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1608	powershell.exe
1368	powershell.exe
2740	powershell.exe
460	powershell.exe
372	powershell.exe
3440	powershell.exe
2068	powershell.exe
2044	powershell.exe
3648	powershell.exe
1964	powershell.exe
3244	powershell.exe
4916	powershell.exe
2632	powershell.exe
472	powershell.exe
3580	powershell.exe
4516	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exee4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exeSearchApp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 6 IoCs

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

pid process

5900 SearchApp.exe
5716 SearchApp.exe
5044 SearchApp.exe
5156 SearchApp.exe
5280 SearchApp.exe
2688 SearchApp.exe

pid	process
5900	SearchApp.exe
5716	SearchApp.exe
5044	SearchApp.exe
5156	SearchApp.exe
5280	SearchApp.exe
2688	SearchApp.exe

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exee4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe

Drops file in Program Files directory 24 IoCs

Processes:

e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files\7-Zip\Lang\eddb19405b7ce1	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files\Google\RCX9CBA.tmp	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files\Windows Mail\RCX8484.tmp	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files\Windows Mail\dllhost.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files\Common Files\Services\SppExtComObj.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\f3b6ecef712a24	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\38384e6a620884	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files\Common Files\Services\SppExtComObj.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files\Common Files\Services\e1ef82546f0b02	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files\Google\services.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCX88BC.tmp	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files\Google\services.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files\Windows Mail\dllhost.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files\Windows Mail\5940a34987c991	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX8CD5.tmp	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files\Common Files\Services\RCX9834.tmp	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Program Files\Google\c5b4cb5e9653cc	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCX827F.tmp	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe

Drops file in Windows directory 8 IoCs

Processes:

e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\unsecapp.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Windows\ServiceProfiles\29c1c3cc0f7685	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Windows\Resources\smss.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File created	C:\Windows\Resources\69ddcba757bf72	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Windows\ServiceProfiles\RCX8698.tmp	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Windows\ServiceProfiles\unsecapp.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Windows\Resources\RCX9F3C.tmp	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
File opened for modification	C:\Windows\Resources\smss.exe	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

Processes:

SearchApp.exeSearchApp.exee4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
5052	schtasks.exe
232	schtasks.exe
4416	schtasks.exe
4464	schtasks.exe
472	schtasks.exe
2068	schtasks.exe
4964	schtasks.exe
3476	schtasks.exe
2248	schtasks.exe
2740	schtasks.exe
2736	schtasks.exe
4384	schtasks.exe
3300	schtasks.exe
1036	schtasks.exe
1652	schtasks.exe
3624	schtasks.exe
2684	schtasks.exe
2180	schtasks.exe
2296	schtasks.exe
2348	schtasks.exe
1872	schtasks.exe
4940	schtasks.exe
3244	schtasks.exe
2672	schtasks.exe
2460	schtasks.exe
4652	schtasks.exe
864	schtasks.exe
2916	schtasks.exe
1984	schtasks.exe
4636	schtasks.exe
5020	schtasks.exe
3648	schtasks.exe
4740	schtasks.exe
4136	schtasks.exe
4580	schtasks.exe
4608	schtasks.exe
3588	schtasks.exe
3176	schtasks.exe
4024	schtasks.exe
3564	schtasks.exe
372	schtasks.exe
1608	schtasks.exe
5036	schtasks.exe
1364	schtasks.exe
3920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

pid	process
916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
2632	powershell.exe
2632	powershell.exe
2044	powershell.exe
2044	powershell.exe
3580	powershell.exe
3580	powershell.exe
372	powershell.exe
372	powershell.exe
1368	powershell.exe
1368	powershell.exe
2068	powershell.exe
2068	powershell.exe
3648	powershell.exe
3648	powershell.exe
3440	powershell.exe
3440	powershell.exe
1608	powershell.exe
1608	powershell.exe
1964	powershell.exe
1964	powershell.exe
460	powershell.exe
460	powershell.exe
4516	powershell.exe
4516	powershell.exe
4916	powershell.exe
4916	powershell.exe
2740	powershell.exe
2740	powershell.exe
3648	powershell.exe
472	powershell.exe
472	powershell.exe
3244	powershell.exe
3244	powershell.exe
2632	powershell.exe
2632	powershell.exe
4516	powershell.exe
2068	powershell.exe
3580	powershell.exe
2044	powershell.exe
2044	powershell.exe
372	powershell.exe
3440	powershell.exe
1368	powershell.exe
460	powershell.exe
1964	powershell.exe
2740	powershell.exe
4916	powershell.exe
3244	powershell.exe
1608	powershell.exe
472	powershell.exe
5900	SearchApp.exe
5900	SearchApp.exe
5716	SearchApp.exe
5044	SearchApp.exe
5156	SearchApp.exe
5280	SearchApp.exe
2688	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	5900	SearchApp.exe
Token: SeDebugPrivilege	5716	SearchApp.exe
Token: SeDebugPrivilege	5044	SearchApp.exe
Token: SeDebugPrivilege	5156	SearchApp.exe
Token: SeDebugPrivilege	5280	SearchApp.exe
Token: SeDebugPrivilege	2688	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exeSearchApp.exeWScript.exe

description	pid	process	target process
PID 916 wrote to memory of 1964	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 1964	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 472	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 472	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 2632	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 2632	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 3648	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 3648	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 3440	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 3440	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 1368	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 1368	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 372	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 372	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 2044	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 2044	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 1608	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 1608	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 4916	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 4916	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 460	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 460	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 3244	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 3244	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 4516	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 4516	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 2068	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 2068	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 3580	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 3580	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 2740	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 2740	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	powershell.exe
PID 916 wrote to memory of 5900	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	SearchApp.exe
PID 916 wrote to memory of 5900	916	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe	SearchApp.exe
PID 5900 wrote to memory of 5624	5900	SearchApp.exe	WScript.exe
PID 5900 wrote to memory of 5624	5900	SearchApp.exe	WScript.exe
PID 5900 wrote to memory of 5460	5900	SearchApp.exe	WScript.exe
PID 5900 wrote to memory of 5460	5900	SearchApp.exe	WScript.exe
PID 5624 wrote to memory of 5716	5624	WScript.exe	SearchApp.exe
PID 5624 wrote to memory of 5716	5624	WScript.exe	SearchApp.exe
PID 5716 wrote to memory of 4020	5716	SearchApp.exe	WScript.exe
PID 5716 wrote to memory of 4020	5716	SearchApp.exe	WScript.exe
PID 5716 wrote to memory of 5776	5716	SearchApp.exe	WScript.exe
PID 5716 wrote to memory of 5776	5716	SearchApp.exe	WScript.exe
PID 4020 wrote to memory of 5044	4020	WScript.exe	SearchApp.exe
PID 4020 wrote to memory of 5044	4020	WScript.exe	SearchApp.exe
PID 5044 wrote to memory of 632	5044	SearchApp.exe	WScript.exe
PID 5044 wrote to memory of 632	5044	SearchApp.exe	WScript.exe
PID 5044 wrote to memory of 4976	5044	SearchApp.exe	WScript.exe
PID 5044 wrote to memory of 4976	5044	SearchApp.exe	WScript.exe
PID 632 wrote to memory of 5156	632	WScript.exe	SearchApp.exe
PID 632 wrote to memory of 5156	632	WScript.exe	SearchApp.exe
PID 5156 wrote to memory of 3772	5156	SearchApp.exe	WScript.exe
PID 5156 wrote to memory of 3772	5156	SearchApp.exe	WScript.exe
PID 5156 wrote to memory of 812	5156	SearchApp.exe	WScript.exe
PID 5156 wrote to memory of 812	5156	SearchApp.exe	WScript.exe
PID 3772 wrote to memory of 5280	3772	WScript.exe	SearchApp.exe
PID 3772 wrote to memory of 5280	3772	WScript.exe	SearchApp.exe
PID 5280 wrote to memory of 4012	5280	SearchApp.exe	WScript.exe
PID 5280 wrote to memory of 4012	5280	SearchApp.exe	WScript.exe
PID 5280 wrote to memory of 2072	5280	SearchApp.exe	WScript.exe
PID 5280 wrote to memory of 2072	5280	SearchApp.exe	WScript.exe
PID 4012 wrote to memory of 2688	4012	WScript.exe	SearchApp.exe
PID 4012 wrote to memory of 2688	4012	WScript.exe	SearchApp.exe

System policy modification 1 TTPs 21 IoCs

evasion

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exee4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	SearchApp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe
"C:\Users\Admin\AppData\Local\Temp\e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe
  "C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d2921b0-d648-47ba-b256-5794f0a7ee6c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5624
  - - C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe
      "C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5716
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c873ca81-5415-4555-9221-1a1782dacbd4.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cc167b7-ada2-4f28-b7b7-d64a62cc077b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe"
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96d71655-bdbf-4e5a-adc4-165d8df73fc6.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe"
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e759f04-3642-41e4-ba32-7837a0ece21b.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe"
        12⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca495e5b-ce1b-4041-af68-b5d2fae31f2b.vbs"
        13⤵
        
        PID:5416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\157aa445-f440-43b6-8b8f-cde5cdb06cdd.vbs"
        13⤵
        
        PID:5988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dc149e5-ac39-4f12-b8c2-72b834162a69.vbs"
        11⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22636ab7-d005-44fe-b3d4-3d0e56e7a345.vbs"
        9⤵
        
        PID:812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ee21f70-82e6-4bf8-beb7-0270ad6e0f66.vbs"
        7⤵
        
        PID:4976
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f31b06da-6327-4987-88f0-5f95c5ca0481.vbs"
        5⤵
        
        PID:5776
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6af38177-8827-4578-b35d-fcf99a8ddc34.vbs"
    3⤵
    PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Services\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Resources\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\Registry.exe

Filesize
1.8MB

MD5
5037fe826057951e0f4f11d207e0f2aa

SHA1
3f32d9dee7a29e3e6e4b137891096028be13be03

SHA256
a244445f988cf8a90253fd08f360e16b3082a626534f9cba9224d6045fefb30d

SHA512
2eac8388ec4b143158470057a01d07070549c452e67a6bdc0e34e343ec7d61f884037eed92179f5b0214f90e214d66632a024fb4ffc60d6fb9ea56298ccfc6a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d2921b0-d648-47ba-b256-5794f0a7ee6c.vbs

Filesize
741B

MD5
d7e107653a185312801d121751c505d3

SHA1
ed424a45a82cee09ee5e37209025104ce9264d16

SHA256
a25ef7e5008c7cf4d836c6553aa1a77fc7bb3bf6b0d678adefbc29776b0b148b

SHA512
db637b65a28532943009c7373d58b24a4242fb507d6566bdccdfb0c50d9c651d8d122509e57ddd8d8ff8895b835a906c9e56d79de8f56a6a6360c76c8ba70c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cc167b7-ada2-4f28-b7b7-d64a62cc077b.vbs

Filesize
741B

MD5
044ea10655e1144e1f6f22577fc1b16e

SHA1
53543ac1873c6173f841e685faaaddd47c77fb76

SHA256
08288035a4841d0cd244764c3ec274c8b25b836e8ffcc2478a0d0d125266a666

SHA512
038bb6bae3a08e51a6be12d584e970afe011f90c80eff279d665622fb8cc0ddee5e79a17194b76f7d40a25a9ee64e07731a486b627470004b3da1014275ca377

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e759f04-3642-41e4-ba32-7837a0ece21b.vbs

Filesize
741B

MD5
161f7288a7cfc9fd9b64e62efeccb5b6

SHA1
c7a26e8b7af9f081aa753b9d5965ba5bf81e012c

SHA256
64e4d36856da3d56fa13e3932f1956cccf6c6ed03256489a034267d6f7d1e865

SHA512
a048e3fb5be6f4e78d159f024e1f8f9116ac2d34aff073020436111c5b49b05ab0020d253e0e6c4180b5d29870e98e3d52ec9c12c1501f02e8558eb4d91d0890

Download Submit
C:\Users\Admin\AppData\Local\Temp\6af38177-8827-4578-b35d-fcf99a8ddc34.vbs

Filesize
517B

MD5
314083e17cd11108553cc70d8527fb9c

SHA1
ce0fa2e675a09397b95f4e7fb18b9a6b6613416a

SHA256
8d1bf901fc542f3a45e34dc79c52846c71a52915bf4e17296e05821bba6ff429

SHA512
0f3b7b5a3112b2d24723c5ee7c8de789cff3b306a0a3e3e0fdcd549425df822991c27b62f86671789e0e7828cf5058827bd923e6097d16ff9fdc2cd4d4bee22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\96d71655-bdbf-4e5a-adc4-165d8df73fc6.vbs

Filesize
741B

MD5
d2fdee31c9ad5a7d48c3020b1a7c8553

SHA1
1afe91fcf7d23448cc599b7f4c21c942896e522b

SHA256
7fe41fc96564d130bb4fe021d719f93435acea22729a8a6f1d688ee5a157795e

SHA512
fe0e55ea094248d83240720f51c494e9b21ea0fb2d8d0867edea58788a8d05d23ff0bbab5f9c9176286848b7a15ebc7eeab139c322d42bf7f8eba4738d59c35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hiyehl32.aq2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c873ca81-5415-4555-9221-1a1782dacbd4.vbs

Filesize
741B

MD5
bbeab10ff1866518ca05c1926aecc9e7

SHA1
0688cd4af0b20984e7c2b0ad771217842dbc4f3e

SHA256
d7ce2afc5906b45de2bc1f82aee92cc7736135880039ab31904228e9f928ee55

SHA512
09f9f0fde0329d98c376fa58862a7029c5344b2d6e3233f3103874c9c228f6dfdf4e20dcb96aa956647463750606ed5456285ff87571f7f02a635a84c3d74ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca495e5b-ce1b-4041-af68-b5d2fae31f2b.vbs

Filesize
741B

MD5
f02ed00ba34ee1c408f6f1c49bcd3e40

SHA1
5e385f2436f6d4a47c9056c9b42f833f9961f967

SHA256
4ad772516c2f94a37d800bac7d3e499c12d4d56af54e629d102cc85c43407166

SHA512
4f0582db9e08ea8760adb159f90960b47a1494af2347c6fae9da0247029d368f4974510204033e182a32b0c00ce742826e7e59477f7c192f8c7263d2325763db

Download Submit
C:\Users\Default\services.exe

Filesize
1.8MB

MD5
a2e72e24af123d7c43c0b2a998f829f0

SHA1
31d2f614def3942ca91743f6006ff1dc90f1ce94

SHA256
e4fbbe932e19ec5e676668a71c8376ee9ae4da4284f42969ff04bc6ff97bdd80

SHA512
1a3df078ec2c913ea60b091ef2e7e46cd30c742d0a4325d11412d58b432474a1d7f2cd86e549ee6dc27a1f776c2eed88092874205ac98d463765bd13db867d9b

Download Submit
C:\Users\Default\sihost.exe

Filesize
1.8MB

MD5
93a6bfabadc41d18d769ec0c5520f8b5

SHA1
9c546befda60c01618ab32c09b9f2c69174d125a

SHA256
22e641d4c7d88c27a7de5fba8c8ddcea5dad4ef86318a7b5cd79845ce0cbb4ec

SHA512
0a88fb02e8f4312e5ba59e2c78db683223222a8f31b241efae5ef681f28e6ee0f02eb9340d6df159df8d9d8f28bdbcca3a92728a896745ddb8d4fa25ea5a39f1

Download Submit
C:\Users\Public\Music\sysmon.exe

Filesize
1.8MB

MD5
e481d11b21653321637c279761b67dd6

SHA1
a832b3e3769f4da23e967f57139226156b584af3

SHA256
a0eb7c767a2fb9e74f1e11b158d5e6fa148dda376a9c8017b1e2f7d01bb692d3

SHA512
b4585f79afec745f787d36d7541b168cd2d3b271719841114c04dbf2f950b2a16f6a426b122833ef056a9b843c0137b104462dc86f0d7800d0e1d3fa7479de00

Download Submit
memory/916-11-0x000000001BF60000-0x000000001BF72000-memory.dmp

Filesize
72KB

Download
memory/916-5-0x0000000002DB0000-0x0000000002DB8000-memory.dmp

Filesize
32KB

Download
memory/916-144-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/916-17-0x000000001C120000-0x000000001C12C000-memory.dmp

Filesize
48KB

Download
memory/916-1-0x0000000000AF0000-0x0000000000CBE000-memory.dmp

Filesize
1.8MB

Download
memory/916-16-0x000000001C110000-0x000000001C11C000-memory.dmp

Filesize
48KB

Download
memory/916-356-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/916-2-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/916-14-0x000000001C0F0000-0x000000001C0FE000-memory.dmp

Filesize
56KB

Download
memory/916-15-0x000000001C100000-0x000000001C10E000-memory.dmp

Filesize
56KB

Download
memory/916-13-0x000000001C0E0000-0x000000001C0EA000-memory.dmp

Filesize
40KB

Download
memory/916-12-0x000000001C610000-0x000000001CB38000-memory.dmp

Filesize
5.2MB

Download
memory/916-0-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

Filesize
8KB

Download
memory/916-10-0x000000001BF50000-0x000000001BF5A000-memory.dmp

Filesize
40KB

Download
memory/916-9-0x000000001BF40000-0x000000001BF50000-memory.dmp

Filesize
64KB

Download
memory/916-8-0x0000000002F50000-0x0000000002F62000-memory.dmp

Filesize
72KB

Download
memory/916-7-0x0000000002F30000-0x0000000002F46000-memory.dmp

Filesize
88KB

Download
memory/916-6-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/916-3-0x0000000001590000-0x00000000015AC000-memory.dmp

Filesize
112KB

Download
memory/916-131-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

Filesize
8KB

Download
memory/916-4-0x000000001BF90000-0x000000001BFE0000-memory.dmp

Filesize
320KB

Download
memory/3580-200-0x000002676A370000-0x000002676A392000-memory.dmp

Filesize
136KB

Download
memory/5044-415-0x00000000030C0000-0x00000000030D2000-memory.dmp

Filesize
72KB

Download
memory/5280-448-0x000000001C1B0000-0x000000001C2B2000-memory.dmp

Filesize
1.0MB

Download
memory/5280-452-0x000000001C1B0000-0x000000001C2B2000-memory.dmp

Filesize
1.0MB

Download
memory/5716-403-0x000000001B890000-0x000000001B8A2000-memory.dmp

Filesize
72KB

Download
memory/5900-357-0x000000001BCC0000-0x000000001BCD2000-memory.dmp

Filesize
72KB

Download