dcrat | b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Size

4.9MB
MD5

a450c06717644483e3437db615ea4114
SHA1

93ece99062cee7344d7059986cc4727c92dbfca9
SHA256

b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a
SHA512

cb7d295f30fa69e98f52ac240e76ed9e776142a898a15c0a8911a693ccdcea441281a79c2b7f0e1e6567cc0bb73a9a6320c359a4a775b943fc84b78df6e42a24
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8+:e

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2644	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2644	schtasks.exe	30

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2092-3-0x000000001B690000-0x000000001B7BE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
580	powershell.exe
1488	powershell.exe
876	powershell.exe
1292	powershell.exe
1780	powershell.exe
2428	powershell.exe
2368	powershell.exe
460	powershell.exe
2112	powershell.exe
1840	powershell.exe
2468	powershell.exe
2444	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
748	OSPPSVC.exe
2512	OSPPSVC.exe
1688	OSPPSVC.exe
796	OSPPSVC.exe
1780	OSPPSVC.exe
1372	OSPPSVC.exe
112	OSPPSVC.exe
2664	OSPPSVC.exe
1384	OSPPSVC.exe
956	OSPPSVC.exe
3068	OSPPSVC.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OSPPSVC.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\ja-JP\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files\DVD Maker\ja-JP\25c4039600c19f	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Uninstall Information\wininit.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File created	C:\Program Files (x86)\Uninstall Information\56085415360792	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RCX6251.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX6500.tmp	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\wininit.exe	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2604	schtasks.exe
1648	schtasks.exe
2148	schtasks.exe
2188	schtasks.exe
2948	schtasks.exe
2652	schtasks.exe
2080	schtasks.exe
428	schtasks.exe
2320	schtasks.exe
2672	schtasks.exe
2620	schtasks.exe
1988	schtasks.exe
2840	schtasks.exe
2888	schtasks.exe
2720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
1292	powershell.exe
2444	powershell.exe
580	powershell.exe
876	powershell.exe
2368	powershell.exe
1780	powershell.exe
2428	powershell.exe
1840	powershell.exe
460	powershell.exe
1488	powershell.exe
2468	powershell.exe
2112	powershell.exe
748	OSPPSVC.exe
2512	OSPPSVC.exe
1688	OSPPSVC.exe
796	OSPPSVC.exe
1780	OSPPSVC.exe
1372	OSPPSVC.exe
112	OSPPSVC.exe
2664	OSPPSVC.exe
1384	OSPPSVC.exe
956	OSPPSVC.exe
3068	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	748	OSPPSVC.exe
Token: SeDebugPrivilege	2512	OSPPSVC.exe
Token: SeDebugPrivilege	1688	OSPPSVC.exe
Token: SeDebugPrivilege	796	OSPPSVC.exe
Token: SeDebugPrivilege	1780	OSPPSVC.exe
Token: SeDebugPrivilege	1372	OSPPSVC.exe
Token: SeDebugPrivilege	112	OSPPSVC.exe
Token: SeDebugPrivilege	2664	OSPPSVC.exe
Token: SeDebugPrivilege	1384	OSPPSVC.exe
Token: SeDebugPrivilege	956	OSPPSVC.exe
Token: SeDebugPrivilege	3068	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 1488	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	46
PID 2092 wrote to memory of 1488	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	46
PID 2092 wrote to memory of 1488	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	46
PID 2092 wrote to memory of 876	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	47
PID 2092 wrote to memory of 876	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	47
PID 2092 wrote to memory of 876	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	47
PID 2092 wrote to memory of 460	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	48
PID 2092 wrote to memory of 460	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	48
PID 2092 wrote to memory of 460	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	48
PID 2092 wrote to memory of 580	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	49
PID 2092 wrote to memory of 580	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	49
PID 2092 wrote to memory of 580	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	49
PID 2092 wrote to memory of 2368	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	51
PID 2092 wrote to memory of 2368	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	51
PID 2092 wrote to memory of 2368	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	51
PID 2092 wrote to memory of 2428	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	52
PID 2092 wrote to memory of 2428	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	52
PID 2092 wrote to memory of 2428	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	52
PID 2092 wrote to memory of 1780	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	53
PID 2092 wrote to memory of 1780	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	53
PID 2092 wrote to memory of 1780	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	53
PID 2092 wrote to memory of 2444	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	56
PID 2092 wrote to memory of 2444	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	56
PID 2092 wrote to memory of 2444	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	56
PID 2092 wrote to memory of 2468	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	57
PID 2092 wrote to memory of 2468	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	57
PID 2092 wrote to memory of 2468	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	57
PID 2092 wrote to memory of 1840	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	58
PID 2092 wrote to memory of 1840	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	58
PID 2092 wrote to memory of 1840	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	58
PID 2092 wrote to memory of 2112	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	59
PID 2092 wrote to memory of 2112	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	59
PID 2092 wrote to memory of 2112	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	59
PID 2092 wrote to memory of 1292	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	60
PID 2092 wrote to memory of 1292	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	60
PID 2092 wrote to memory of 1292	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	60
PID 2092 wrote to memory of 748	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	70
PID 2092 wrote to memory of 748	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	70
PID 2092 wrote to memory of 748	2092	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe	70
PID 748 wrote to memory of 2100	748	OSPPSVC.exe	71
PID 748 wrote to memory of 2100	748	OSPPSVC.exe	71
PID 748 wrote to memory of 2100	748	OSPPSVC.exe	71
PID 748 wrote to memory of 2576	748	OSPPSVC.exe	72
PID 748 wrote to memory of 2576	748	OSPPSVC.exe	72
PID 748 wrote to memory of 2576	748	OSPPSVC.exe	72
PID 2100 wrote to memory of 2512	2100	WScript.exe	73
PID 2100 wrote to memory of 2512	2100	WScript.exe	73
PID 2100 wrote to memory of 2512	2100	WScript.exe	73
PID 2512 wrote to memory of 2384	2512	OSPPSVC.exe	74
PID 2512 wrote to memory of 2384	2512	OSPPSVC.exe	74
PID 2512 wrote to memory of 2384	2512	OSPPSVC.exe	74
PID 2512 wrote to memory of 2636	2512	OSPPSVC.exe	75
PID 2512 wrote to memory of 2636	2512	OSPPSVC.exe	75
PID 2512 wrote to memory of 2636	2512	OSPPSVC.exe	75
PID 2384 wrote to memory of 1688	2384	WScript.exe	76
PID 2384 wrote to memory of 1688	2384	WScript.exe	76
PID 2384 wrote to memory of 1688	2384	WScript.exe	76
PID 1688 wrote to memory of 2552	1688	OSPPSVC.exe	77
PID 1688 wrote to memory of 2552	1688	OSPPSVC.exe	77
PID 1688 wrote to memory of 2552	1688	OSPPSVC.exe	77
PID 1688 wrote to memory of 2428	1688	OSPPSVC.exe	78
PID 1688 wrote to memory of 2428	1688	OSPPSVC.exe	78
PID 1688 wrote to memory of 2428	1688	OSPPSVC.exe	78
PID 2552 wrote to memory of 796	2552	WScript.exe	79

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	OSPPSVC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	OSPPSVC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe
"C:\Users\Admin\AppData\Local\Temp\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Users\Admin\OSPPSVC.exe
  "C:\Users\Admin\OSPPSVC.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:748
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55c5c8b5-10ce-416f-ab11-270d518de12d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\OSPPSVC.exe
      C:\Users\Admin\OSPPSVC.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2512
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9621aed5-939c-4e14-9e80-4cbc0e0434ae.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Users\Admin\OSPPSVC.exe
        
        C:\Users\Admin\OSPPSVC.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42ed2ca8-c42f-4886-99d1-3a0521e598af.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Users\Admin\OSPPSVC.exe
        
        C:\Users\Admin\OSPPSVC.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfea1439-02df-4101-9354-913da230059b.vbs"
        9⤵
        
        PID:2020
        
        C:\Users\Admin\OSPPSVC.exe
        
        C:\Users\Admin\OSPPSVC.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\831f8c38-c1c7-4640-959f-c0d0452c05dd.vbs"
        11⤵
        
        PID:1548
        
        C:\Users\Admin\OSPPSVC.exe
        
        C:\Users\Admin\OSPPSVC.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ebdbb6e-0a7a-4fbc-98fc-52df846e8e00.vbs"
        13⤵
        
        PID:1312
        
        C:\Users\Admin\OSPPSVC.exe
        
        C:\Users\Admin\OSPPSVC.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af5da05b-a384-4939-bcd3-301668f68a57.vbs"
        15⤵
        
        PID:2892
        
        C:\Users\Admin\OSPPSVC.exe
        
        C:\Users\Admin\OSPPSVC.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0817eca1-48b1-4483-9d34-d28725bb020a.vbs"
        17⤵
        
        PID:428
        
        C:\Users\Admin\OSPPSVC.exe
        
        C:\Users\Admin\OSPPSVC.exe
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf132f9e-3d0c-4b42-8dd8-5c7de59c100c.vbs"
        19⤵
        
        PID:2500
        
        C:\Users\Admin\OSPPSVC.exe
        
        C:\Users\Admin\OSPPSVC.exe
        20⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d0fb0c-0f3c-45fe-b4e7-dfd804839609.vbs"
        21⤵
        
        PID:2692
        
        C:\Users\Admin\OSPPSVC.exe
        
        C:\Users\Admin\OSPPSVC.exe
        22⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e03195f-65a7-4caf-a881-a216fc90df26.vbs"
        23⤵
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77b4de8e-7399-46b3-ac10-27beb6a2b138.vbs"
        23⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64f27013-418a-4744-a557-7e57a4059a48.vbs"
        21⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c952a3cb-9655-457d-9d3b-3c1ff67f952c.vbs"
        19⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a8c5a65-14d5-4d90-8afd-a06ac609ba72.vbs"
        17⤵
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06425513-71f7-4d1e-bc30-bbb30e6a7d10.vbs"
        15⤵
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d41d50c-ad27-4e89-a3ea-be512e369c08.vbs"
        13⤵
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c9c30eb-dbb6-4782-a311-255b6e0bba68.vbs"
        11⤵
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30c27c37-0944-496c-9bb0-c34438cdee52.vbs"
        9⤵
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6d8b2da-fdfd-4786-92f5-3913c76f183e.vbs"
        7⤵
        
        PID:2428
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddbafa1f-7265-4bc7-8576-b5ea7bfc7af3.vbs"
        5⤵
        
        PID:2636
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e1da00c-d124-4d27-87b1-88f6fb8c529b.vbs"
    3⤵
    PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94ab" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\ja-JP\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94ab" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\ja-JP\b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Uninstall Information\wininit.exe

Filesize
4.9MB

MD5
a450c06717644483e3437db615ea4114

SHA1
93ece99062cee7344d7059986cc4727c92dbfca9

SHA256
b8a3b35b685e72c1be24942f0520a286d5e65873aafb0f959ba551dae50ff94a

SHA512
cb7d295f30fa69e98f52ac240e76ed9e776142a898a15c0a8911a693ccdcea441281a79c2b7f0e1e6567cc0bb73a9a6320c359a4a775b943fc84b78df6e42a24

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe

Filesize
4.9MB

MD5
dec0f16e6b322c78b05d1884fe0e8953

SHA1
66303bf2a3ea6106f17231325d2603491b0e086c

SHA256
b7c68a793672cd348a6acff94be88f090fa2caf5fbbb7c6079c217faf53a82ff

SHA512
a79d28d6772c996d35de1884d4efb1f3ef9594829e885499955ee1172a9e968db0aa74f5bf294f701b0fe94bb69125696e2613911f199e50e4e8bbf5ed8f4623

Download Submit
C:\Users\Admin\AppData\Local\Temp\0817eca1-48b1-4483-9d34-d28725bb020a.vbs

Filesize
702B

MD5
29de9e2b9e9b289a9cb4a74db98390a1

SHA1
ea83c3d20b844d28d2d1a1e1fda8ba66652e78e9

SHA256
84e36ec3da581de00ea3f50b66a8be44412e85a2ec4c10c3ae8a61b34ac94748

SHA512
b5467554a4b788d38435cc72d3ef449143457ecd577731045843f461cdf75a1e42bebf885eb11f77b218f033193a0a81d0f3adcd90aaede640b4094e0351f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ebdbb6e-0a7a-4fbc-98fc-52df846e8e00.vbs

Filesize
702B

MD5
085ab3ad90d3a7712a989e95a068ef63

SHA1
464600664ae485d8780630c57ce9d057eb45d18f

SHA256
a86aacf6398978fdf485b9f1c965875eae51025362f80ab7c2b674089bc06262

SHA512
6d79965c717e86269ea3465379743d82c8a9c15cb4bbfc621bb33bfc7475cced8727d380e7bf0e7167639fdac98b75ce4dcb5fb7cba798f5a34b24e6e6a18486

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e03195f-65a7-4caf-a881-a216fc90df26.vbs

Filesize
702B

MD5
2b4dd094afab5635a31f59f414fd6d12

SHA1
768d293e5a9205eee4e9250799373d1953369c2e

SHA256
3dd7bb62b85da8015d785a106c8c93555a60d7af58bce461d0b14beaa9f64716

SHA512
0971f0cd9074a240ce69629105e66b8f43ed114d38d50582bd322c54776b42a9535942133919262a99757bfda7238c526b00d4a4b1a12eea3320e32925beba3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\42ed2ca8-c42f-4886-99d1-3a0521e598af.vbs

Filesize
702B

MD5
cb174ed4bb2c5ff4c94842c3c4854b35

SHA1
2799dca9e0c1f04bdb04c8b0c29ba39937cc44f8

SHA256
1b0f36bc1cecf2be1c55de3a2b32358f24f2555d27a72945138782e1206f4384

SHA512
7fac983f584731720df28ffe0fe434d23a7ec78019ec02288e34a8e08d2fae024142300b12c8fdf4bf07f55efd169d111ee92d6c8bcfce9960982e00e3ad2550

Download Submit
C:\Users\Admin\AppData\Local\Temp\495ed7a571ccf08ae8b9f094a66930378fbbab46.exe

Filesize
4.9MB

MD5
646cb5a3647104405b818900e2981961

SHA1
7d898502240efb0b40875da5610e8080723a9464

SHA256
a9c7e06c5d16aa88d9fd01b46bbce1550e64e7233b087a0bd611069c7fc004f0

SHA512
539b0309190c157937454ce9f9506b5f5e261fe08dab731a2e78095bbd047f90ffb4c0637ae3f933faa6ccabc1a276f59d8cfb5d93684f9ff1273654c08ef4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\495ed7a571ccf08ae8b9f094a66930378fbbab46.exe

Filesize
4.9MB

MD5
d88e7e175525d240bf01241524fe33c9

SHA1
c064f5b37c67cdb2205cd47606b79123ac92bcb8

SHA256
a418f9cd11c9ce97cb6a466dd7fd925e2e1e98cf810db19dd62e32d2aed32017

SHA512
442435cde284716c239e29f81b9e1feb505074cee04ee4bde3eef1f9d57e048a8c6e42d72d205f88cb582d76bb665b502163e06b84bc6eb7822772d0a20d3377

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e1da00c-d124-4d27-87b1-88f6fb8c529b.vbs

Filesize
478B

MD5
fc5c95cb2ddcd8ed5da25b389bf83664

SHA1
08bd392b17b65680d440bac36e719a2d1abc0b83

SHA256
a88fb7189b85ea9e0f1d656219c5f3a744f6c1009d2d7167c95fa0f1a0b0d4f9

SHA512
00c8f061f5f467ab1b50eb1158ce8c5cab28c87df8fa4bf3ecd122918ef6117871a6e3814d16312453b11e05712fe4ef22f40eb658e2dcaf86dd66d77683601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\55c5c8b5-10ce-416f-ab11-270d518de12d.vbs

Filesize
701B

MD5
7b71eec7a53a081771b4116fe5bee58a

SHA1
5909b9b7bc2bb233cbbc32b962e3de16440edef7

SHA256
15f2091f0ba05aa73ef3130fddac39273fec70ee87752f421c59075b52232d94

SHA512
def3e739052eac1744c88d812df6d61fb139f4498d4ca211976b73ad4c8486738e4ae9793633b6ab54b9de79602a47c47dc377874fde441896e20c85745b9ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\831f8c38-c1c7-4640-959f-c0d0452c05dd.vbs

Filesize
702B

MD5
4201c0a83bc964eb201e719d2c915714

SHA1
bae23052040c73183d1b68bdd1c81455159c83fd

SHA256
c086be12f476a8fa4f5d2aab52b0a156bf3db1cce1d98947fe42b54c07caa076

SHA512
948ed1eb6ca18931da147066146dfbeb06bf446b1a3f0245428e672abe60ee6e2812b4b8f00cd513fdeacc8602383d94be9fd4c9dc6d933dbdabe9cd0b564106

Download Submit
C:\Users\Admin\AppData\Local\Temp\9621aed5-939c-4e14-9e80-4cbc0e0434ae.vbs

Filesize
702B

MD5
6c70c3d28a6f45ab197e1a17c6bbb6ef

SHA1
4c3fe17cf550c697359d7adee65a08827a24d400

SHA256
1e68fc0e9ea9ade3c987fb4864f750eb97ee453c0ad0887c1df170f415a722aa

SHA512
64d2aefe1f1864f21645ec8450daea327db807e6dae2a7a6b90f47652ca31e5e5925fa9b3feb23d2c441e532f08e6579614845ac35324cd40647151f91a49624

Download Submit
C:\Users\Admin\AppData\Local\Temp\af5da05b-a384-4939-bcd3-301668f68a57.vbs

Filesize
701B

MD5
6e9128b37b9696084b013ef2e266d146

SHA1
95883686cb224d8c8be850bb9b3378ee979005ad

SHA256
ab747c2e8557b8fdb7172f82bb15f4b69b9aac6c4b70dd013b67da0a6e7c6b4d

SHA512
f6b36b009376c603f427d0e3af5d2c4a36b0621f67b695b0bf27cd5ac27e84007c7703e1c2b0afe555460d19af296c6e04ef51fb5bbe35f03ca58e030ce51c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf132f9e-3d0c-4b42-8dd8-5c7de59c100c.vbs

Filesize
702B

MD5
f1a36e19af83af84c9103ab445749e28

SHA1
f2921588f0cffd21d6cbb56d3c0fa842ad5fc04d

SHA256
df99607b968788e27d2d903a244980d1038c35714092ad09d863a79c191529db

SHA512
0efadcad27cd5ec49770019946d462abb84ce9fc4ecf978e4788b9294f831314bbae1ff8cadea1bf1130adb98d6f75e5189fea93b4ea9a4a25b452118a778c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9d0fb0c-0f3c-45fe-b4e7-dfd804839609.vbs

Filesize
701B

MD5
601594889c87fd045069110a53b75a83

SHA1
25c91e17e8894aa879404190907e866376c312d3

SHA256
eb2328801732d83563299b0c865e56d2db5944415b3a359f3efdd8aaae5daa95

SHA512
5e44d39f46b5af2b6447155d158069de0438b232ddbe14a6736037c1683119b6ded8e3326ddac90407e30f533c23b96e466f30889bee041756edef9afb67ed59

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfea1439-02df-4101-9354-913da230059b.vbs

Filesize
701B

MD5
6050dbb5e4fb73493a9591eb3a01850c

SHA1
c75d96c85f1432a7a886f6569b4962437c1dc6a0

SHA256
17cf5054420a50a4e2eb1eb56756446f1a9d86eed5a8e414293eec1e689efdc3

SHA512
65f02b27a4d8c2c6112a74021aff5c2d16933f7c3e817c70abf789b5dc68d6590dabf07e29b07c977c216144c0e711fe0af8dff563ae7450e8570f2a51d17f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E35.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9117bbdeb0449d838452e0e60a8d5a33

SHA1
c6ba48685302b3d031a8de3ad2cd70e5dde73102

SHA256
6cc65bd9c3b7bc24124c8e047de111d94fd1b84beb262e87aca036d0721cec42

SHA512
b2ab840f488e19688d5b331ab225ce6b0ca9e33ae8300ce332cf73429cdaa883e6bf006167760d255001ea3d90048056d8f6049ce28fc0a19f67d0879a5e70a2

Download Submit
memory/460-130-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/748-134-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/748-129-0x0000000000C30000-0x0000000001124000-memory.dmp

Filesize
5.0MB

Download
memory/956-264-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/956-263-0x0000000000210000-0x0000000000704000-memory.dmp

Filesize
5.0MB

Download
memory/1688-162-0x00000000010E0000-0x00000000015D4000-memory.dmp

Filesize
5.0MB

Download
memory/1780-191-0x00000000013A0000-0x0000000001894000-memory.dmp

Filesize
5.0MB

Download
memory/1780-192-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/2092-10-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2092-5-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2092-123-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2092-15-0x00000000024B0000-0x00000000024B8000-memory.dmp

Filesize
32KB

Download
memory/2092-14-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/2092-13-0x0000000002490000-0x000000000249E000-memory.dmp

Filesize
56KB

Download
memory/2092-12-0x0000000002480000-0x000000000248E000-memory.dmp

Filesize
56KB

Download
memory/2092-9-0x00000000023D0000-0x00000000023DA000-memory.dmp

Filesize
40KB

Download
memory/2092-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2092-1-0x0000000000990000-0x0000000000E84000-memory.dmp

Filesize
5.0MB

Download
memory/2092-3-0x000000001B690000-0x000000001B7BE000-memory.dmp

Filesize
1.2MB

Download
memory/2092-11-0x0000000002470000-0x000000000247A000-memory.dmp

Filesize
40KB

Download
memory/2092-8-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2092-7-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/2092-6-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2092-16-0x00000000024C0000-0x00000000024CC000-memory.dmp

Filesize
48KB

Download
memory/2092-4-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/2444-131-0x0000000002500000-0x0000000002508000-memory.dmp

Filesize
32KB

Download
memory/2512-146-0x0000000000230000-0x0000000000724000-memory.dmp

Filesize
5.0MB

Download
memory/2512-147-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/3068-279-0x00000000008C0000-0x0000000000DB4000-memory.dmp

Filesize
5.0MB

Download