colibri | 8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Size

4.9MB
MD5

7c5669c1eb8e15de18ad5888920de3f7
SHA1

62f204afa1b1c8dda8f0474ce2e5e915ba5d49bb
SHA256

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811
SHA512

791b8c43b98b3d80b20071b9088bae6171f4e5ae34c1b56fdc7074d0785fc0bd3d9c4efbdabbcf42962725eff9ab543f47004c1f6641777b54dd1d28fe2584db
SSDEEP

49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8Z:R

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
Colibri family
colibri

DcRat 51 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
1820	schtasks.exe
2028	schtasks.exe
3388	schtasks.exe
3828	schtasks.exe
3996	schtasks.exe
1920	schtasks.exe
452	schtasks.exe
2252	schtasks.exe
1560	schtasks.exe
2676	schtasks.exe
2728	schtasks.exe
4844	schtasks.exe
5080	schtasks.exe
2012	schtasks.exe
1652	schtasks.exe
3880	schtasks.exe
1704	schtasks.exe
4296	schtasks.exe
4488	schtasks.exe
1976	schtasks.exe
2372	schtasks.exe
3980	schtasks.exe
1280	schtasks.exe
4440	schtasks.exe
1708	schtasks.exe
4228	schtasks.exe
4876	schtasks.exe
372	schtasks.exe
1540	schtasks.exe
3212	schtasks.exe
784	schtasks.exe
4472	schtasks.exe
2304	schtasks.exe
3996	schtasks.exe
716	schtasks.exe
2512	schtasks.exe
388	schtasks.exe
1996	schtasks.exe
2272	schtasks.exe
1844	schtasks.exe
1544	schtasks.exe
716	schtasks.exe
1096	schtasks.exe
4944	schtasks.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\81dc0bd0bf0ef5	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
4532	schtasks.exe
2264	schtasks.exe
3656	schtasks.exe
4856	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3352	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	3352	schtasks.exe

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

WmiPrvSE.exeWmiPrvSE.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/968-3-0x000000001BCC0000-0x000000001BDEE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3664	powershell.exe
4844	powershell.exe
1708	powershell.exe
4768	powershell.exe
2788	powershell.exe
3176	powershell.exe
3348	powershell.exe
1528	powershell.exe
776	powershell.exe
1092	powershell.exe
4060	powershell.exe
4228	powershell.exe
4004	powershell.exe
4632	powershell.exe
1116	powershell.exe
3792	powershell.exe
1440	powershell.exe
4968	powershell.exe
4744	powershell.exe
1284	powershell.exe
2100	powershell.exe
1444	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WmiPrvSE.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe

Executes dropped EXE 49 IoCs

Processes:

tmp7D51.tmp.exetmp7D51.tmp.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exetmp9078.tmp.exetmp9078.tmp.exetmp9078.tmp.exeWmiPrvSE.exetmpB805.tmp.exetmpB805.tmp.exeWmiPrvSE.exetmpD4A5.tmp.exetmpD4A5.tmp.exetmpD4A5.tmp.exetmpD4A5.tmp.exeWmiPrvSE.exetmpF08A.tmp.exetmpF08A.tmp.exeWmiPrvSE.exetmp1FB8.tmp.exetmp1FB8.tmp.exeWmiPrvSE.exetmp5186.tmp.exetmp5186.tmp.exeWmiPrvSE.exetmp6D3C.tmp.exetmp6D3C.tmp.exeWmiPrvSE.exetmp9DA2.tmp.exetmp9DA2.tmp.exetmp9DA2.tmp.exetmp9DA2.tmp.exeWmiPrvSE.exetmpCE67.tmp.exetmpCE67.tmp.exeWmiPrvSE.exetmpEB36.tmp.exetmpEB36.tmp.exeWmiPrvSE.exetmp1A64.tmp.exetmp1A64.tmp.exeWmiPrvSE.exetmp4ABB.tmp.exetmp4ABB.tmp.exeWmiPrvSE.exetmp7A76.tmp.exetmp7A76.tmp.exeWmiPrvSE.exetmpAB69.tmp.exetmpAB69.tmp.exe

pid	process
1436	tmp7D51.tmp.exe
2636	tmp7D51.tmp.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
1140	tmp9078.tmp.exe
4888	tmp9078.tmp.exe
448	tmp9078.tmp.exe
448	WmiPrvSE.exe
4704	tmpB805.tmp.exe
4472	tmpB805.tmp.exe
3344	WmiPrvSE.exe
1032	tmpD4A5.tmp.exe
3592	tmpD4A5.tmp.exe
4424	tmpD4A5.tmp.exe
4840	tmpD4A5.tmp.exe
4268	WmiPrvSE.exe
880	tmpF08A.tmp.exe
4940	tmpF08A.tmp.exe
1188	WmiPrvSE.exe
3324	tmp1FB8.tmp.exe
4756	tmp1FB8.tmp.exe
1432	WmiPrvSE.exe
4060	tmp5186.tmp.exe
976	tmp5186.tmp.exe
4720	WmiPrvSE.exe
5056	tmp6D3C.tmp.exe
880	tmp6D3C.tmp.exe
4176	WmiPrvSE.exe
1924	tmp9DA2.tmp.exe
548	tmp9DA2.tmp.exe
1764	tmp9DA2.tmp.exe
2868	tmp9DA2.tmp.exe
1780	WmiPrvSE.exe
4388	tmpCE67.tmp.exe
2108	tmpCE67.tmp.exe
3216	WmiPrvSE.exe
4960	tmpEB36.tmp.exe
1864	tmpEB36.tmp.exe
1596	WmiPrvSE.exe
1000	tmp1A64.tmp.exe
2028	tmp1A64.tmp.exe
4236	WmiPrvSE.exe
5036	tmp4ABB.tmp.exe
2372	tmp4ABB.tmp.exe
684	WmiPrvSE.exe
4280	tmp7A76.tmp.exe
4288	tmp7A76.tmp.exe
1864	WmiPrvSE.exe
2936	tmpAB69.tmp.exe
2376	tmpAB69.tmp.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

tmp7D51.tmp.exetmp9078.tmp.exetmpB805.tmp.exetmpD4A5.tmp.exetmpF08A.tmp.exetmp1FB8.tmp.exetmp5186.tmp.exetmp6D3C.tmp.exetmp9DA2.tmp.exetmpCE67.tmp.exetmpEB36.tmp.exetmp1A64.tmp.exetmp4ABB.tmp.exetmp7A76.tmp.exetmpAB69.tmp.exe

description	pid	process	target process
PID 1436 set thread context of 2636	1436	tmp7D51.tmp.exe	tmp7D51.tmp.exe
PID 4888 set thread context of 448	4888	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 4704 set thread context of 4472	4704	tmpB805.tmp.exe	tmpB805.tmp.exe
PID 4424 set thread context of 4840	4424	tmpD4A5.tmp.exe	tmpD4A5.tmp.exe
PID 880 set thread context of 4940	880	tmpF08A.tmp.exe	tmpF08A.tmp.exe
PID 3324 set thread context of 4756	3324	tmp1FB8.tmp.exe	tmp1FB8.tmp.exe
PID 4060 set thread context of 976	4060	tmp5186.tmp.exe	tmp5186.tmp.exe
PID 5056 set thread context of 880	5056	tmp6D3C.tmp.exe	tmp6D3C.tmp.exe
PID 1764 set thread context of 2868	1764	tmp9DA2.tmp.exe	tmp9DA2.tmp.exe
PID 4388 set thread context of 2108	4388	tmpCE67.tmp.exe	tmpCE67.tmp.exe
PID 4960 set thread context of 1864	4960	tmpEB36.tmp.exe	tmpEB36.tmp.exe
PID 1000 set thread context of 2028	1000	tmp1A64.tmp.exe	tmp1A64.tmp.exe
PID 5036 set thread context of 2372	5036	tmp4ABB.tmp.exe	tmp4ABB.tmp.exe
PID 4280 set thread context of 4288	4280	tmp7A76.tmp.exe	tmp7A76.tmp.exe
PID 2936 set thread context of 2376	2936	tmpAB69.tmp.exe	tmpAB69.tmp.exe

Drops file in Program Files directory 14 IoCs

Processes:

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\81dc0bd0bf0ef5	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\38384e6a620884	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX7A04.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Idle.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCX77F0.tmp	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Windows Media Player\Idle.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Program Files (x86)\Windows Media Player\6ccacd8608530f	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Drops file in Windows directory 16 IoCs

Processes:

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

description	ioc	process
File created	C:\Windows\IME\uk-UA\56085415360792	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\IdentityCRL\INT\121e5b5079f7c0	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\Globalization\Time Zone\wininit.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\IdentityCRL\INT\sysmon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\IME\uk-UA\wininit.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\IME\de-DE\sysmon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\tracing\c5b4cb5e9653cc	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\Globalization\Time Zone\56085415360792	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\Globalization\Time Zone\wininit.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\IME\uk-UA\wininit.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\IME\de-DE\121e5b5079f7c0	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\schemas\TSWorkSpace\fontdrvhost.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\tracing\services.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\tracing\services.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File created	C:\Windows\IdentityCRL\INT\sysmon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
File opened for modification	C:\Windows\IME\de-DE\sysmon.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmpF08A.tmp.exetmp5186.tmp.exetmp9DA2.tmp.exetmp9DA2.tmp.exetmpCE67.tmp.exetmp7D51.tmp.exetmp9078.tmp.exetmpD4A5.tmp.exetmp7A76.tmp.exetmpD4A5.tmp.exetmpEB36.tmp.exetmp4ABB.tmp.exetmp1FB8.tmp.exetmpAB69.tmp.exetmp9078.tmp.exetmpB805.tmp.exetmpD4A5.tmp.exetmp6D3C.tmp.exetmp9DA2.tmp.exetmp1A64.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF08A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5186.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9DA2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9DA2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCE67.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7D51.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9078.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD4A5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7A76.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD4A5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEB36.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4ABB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1FB8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAB69.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9078.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB805.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD4A5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6D3C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9DA2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1A64.tmp.exe

Modifies registry class 15 IoCs

Processes:

WmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WmiPrvSE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1096	schtasks.exe
1708	schtasks.exe
1820	schtasks.exe
388	schtasks.exe
3388	schtasks.exe
1704	schtasks.exe
1844	schtasks.exe
4228	schtasks.exe
4876	schtasks.exe
2012	schtasks.exe
1544	schtasks.exe
4440	schtasks.exe
2512	schtasks.exe
1920	schtasks.exe
2372	schtasks.exe
3212	schtasks.exe
1996	schtasks.exe
3996	schtasks.exe
5080	schtasks.exe
716	schtasks.exe
3656	schtasks.exe
4856	schtasks.exe
1652	schtasks.exe
3880	schtasks.exe
4944	schtasks.exe
2252	schtasks.exe
2272	schtasks.exe
1560	schtasks.exe
2728	schtasks.exe
372	schtasks.exe
1540	schtasks.exe
1976	schtasks.exe
4532	schtasks.exe
1280	schtasks.exe
2304	schtasks.exe
3828	schtasks.exe
3996	schtasks.exe
452	schtasks.exe
784	schtasks.exe
2028	schtasks.exe
2264	schtasks.exe
4472	schtasks.exe
3980	schtasks.exe
2676	schtasks.exe
4488	schtasks.exe
4844	schtasks.exe
716	schtasks.exe
4296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
1440	powershell.exe
1440	powershell.exe
776	powershell.exe
776	powershell.exe
4968	powershell.exe
4968	powershell.exe
1444	powershell.exe
1444	powershell.exe
3792	powershell.exe
3792	powershell.exe
4768	powershell.exe
4768	powershell.exe
1528	powershell.exe
1528	powershell.exe
1708	powershell.exe
1708	powershell.exe
2788	powershell.exe
3664	powershell.exe
2788	powershell.exe
3664	powershell.exe
1708	powershell.exe
1116	powershell.exe
1116	powershell.exe
776	powershell.exe
1444	powershell.exe
1440	powershell.exe
1440	powershell.exe
3792	powershell.exe
4768	powershell.exe
1528	powershell.exe
4968	powershell.exe
3664	powershell.exe
2788	powershell.exe
1116	powershell.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
1092	powershell.exe
1092	powershell.exe
4632	powershell.exe
4632	powershell.exe
4228	powershell.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	448	WmiPrvSE.exe
Token: SeDebugPrivilege	3344	WmiPrvSE.exe
Token: SeDebugPrivilege	4268	WmiPrvSE.exe
Token: SeDebugPrivilege	1188	WmiPrvSE.exe
Token: SeDebugPrivilege	1432	WmiPrvSE.exe
Token: SeDebugPrivilege	4720	WmiPrvSE.exe
Token: SeDebugPrivilege	4176	WmiPrvSE.exe
Token: SeDebugPrivilege	1780	WmiPrvSE.exe
Token: SeDebugPrivilege	3216	WmiPrvSE.exe
Token: SeDebugPrivilege	1596	WmiPrvSE.exe
Token: SeDebugPrivilege	4236	WmiPrvSE.exe
Token: SeDebugPrivilege	684	WmiPrvSE.exe
Token: SeDebugPrivilege	1864	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exetmp7D51.tmp.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exetmp9078.tmp.exetmp9078.tmp.exe

description	pid	process	target process
PID 968 wrote to memory of 1116	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 1116	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 1444	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 1444	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 1528	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 1528	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 3664	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 3664	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 776	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 776	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 4968	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 4968	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 1440	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 1440	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 3792	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 3792	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 2788	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 2788	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 1708	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 1708	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 4768	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 4768	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 968 wrote to memory of 1436	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	tmp7D51.tmp.exe
PID 968 wrote to memory of 1436	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	tmp7D51.tmp.exe
PID 968 wrote to memory of 1436	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	tmp7D51.tmp.exe
PID 1436 wrote to memory of 2636	1436	tmp7D51.tmp.exe	tmp7D51.tmp.exe
PID 1436 wrote to memory of 2636	1436	tmp7D51.tmp.exe	tmp7D51.tmp.exe
PID 1436 wrote to memory of 2636	1436	tmp7D51.tmp.exe	tmp7D51.tmp.exe
PID 1436 wrote to memory of 2636	1436	tmp7D51.tmp.exe	tmp7D51.tmp.exe
PID 1436 wrote to memory of 2636	1436	tmp7D51.tmp.exe	tmp7D51.tmp.exe
PID 1436 wrote to memory of 2636	1436	tmp7D51.tmp.exe	tmp7D51.tmp.exe
PID 1436 wrote to memory of 2636	1436	tmp7D51.tmp.exe	tmp7D51.tmp.exe
PID 968 wrote to memory of 2700	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
PID 968 wrote to memory of 2700	968	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
PID 2700 wrote to memory of 1140	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	tmp9078.tmp.exe
PID 2700 wrote to memory of 1140	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	tmp9078.tmp.exe
PID 2700 wrote to memory of 1140	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	tmp9078.tmp.exe
PID 1140 wrote to memory of 4888	1140	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 1140 wrote to memory of 4888	1140	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 1140 wrote to memory of 4888	1140	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 4888 wrote to memory of 448	4888	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 4888 wrote to memory of 448	4888	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 4888 wrote to memory of 448	4888	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 4888 wrote to memory of 448	4888	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 4888 wrote to memory of 448	4888	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 4888 wrote to memory of 448	4888	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 4888 wrote to memory of 448	4888	tmp9078.tmp.exe	tmp9078.tmp.exe
PID 2700 wrote to memory of 1092	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 1092	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 2100	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 2100	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 4632	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 4632	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 4744	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 4744	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 4844	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 4844	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 4060	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 4060	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 3348	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 3348	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 1284	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 1284	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe
PID 2700 wrote to memory of 4004	2700	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe	powershell.exe

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

Processes:

WmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exe8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exeWmiPrvSE.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
"C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe"
1⤵
- DcRat
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Users\Admin\AppData\Local\Temp\tmp7D51.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7D51.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\tmp7D51.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp7D51.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:2636
- C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe
  "C:\Users\Admin\AppData\Local\Temp\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3176
- - C:\Users\Default\Application Data\WmiPrvSE.exe
    "C:\Users\Default\Application Data\WmiPrvSE.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:448
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af297ef5-08a4-4b8e-86cc-471350f3bb65.vbs"
      4⤵
      PID:232
    - - C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3344
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb026231-7782-4880-99c3-41a0035a53de.vbs"
        6⤵
        
        PID:3132
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f1327b9-e93a-4ca3-bba3-face42e238f4.vbs"
        8⤵
        
        PID:3404
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\500b523d-4e8e-4325-833a-d4ac41bd30f1.vbs"
        10⤵
        
        PID:3880
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eada9d47-a949-4afc-9388-bb909238b2aa.vbs"
        12⤵
        
        PID:2760
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e4b60ad-9dd8-472b-91ab-28c8cf9a9cf8.vbs"
        14⤵
        
        PID:3780
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9f5f18a-fcc5-48e1-b239-a74b8fbca0c0.vbs"
        16⤵
        
        PID:1820
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d6cebda-9e4c-4be2-ad26-735d86f428c7.vbs"
        18⤵
        
        PID:4580
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76cad8e9-8660-45f2-99e7-091497801176.vbs"
        20⤵
        
        PID:832
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e054f34-f75b-441c-8e81-5c408f18e4fd.vbs"
        22⤵
        
        PID:2380
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\91c25a91-01c5-4231-ab63-8027ac12cf61.vbs"
        24⤵
        
        PID:3340
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27d75ff4-7ec0-4782-bed8-0481437ed9ec.vbs"
        26⤵
        
        PID:1612
        
        C:\Users\Default\Application Data\WmiPrvSE.exe
        
        "C:\Users\Default\Application Data\WmiPrvSE.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ad62949-8b49-4aed-981e-13f05992700f.vbs"
        28⤵
        
        PID:3544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d466fcf3-93f4-40e8-a520-e666765c3bff.vbs"
        28⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmpAB69.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAB69.tmp.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmpAB69.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpAB69.tmp.exe"
        29⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9089d2a-4387-4a1e-a95d-b256f8a2a047.vbs"
        26⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7A76.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7A76.tmp.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7A76.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7A76.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2119d7c9-0c0d-4490-bad8-ac2ce17dd440.vbs"
        24⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp4ABB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4ABB.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp4ABB.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4ABB.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbed8243-35fe-47d7-8a15-330678b906e9.vbs"
        22⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp1A64.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A64.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp1A64.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1A64.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca7d193b-cccc-4b03-9814-10580eb21a9f.vbs"
        20⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmpEB36.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEB36.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmpEB36.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpEB36.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0a93071-dd0b-4e7b-a17d-7a9475f4cb5d.vbs"
        18⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmpCE67.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCE67.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmpCE67.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpCE67.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a49668e7-e4fd-4f94-aaf8-c0f13e35e2eb.vbs"
        16⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmp9DA2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9DA2.tmp.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp9DA2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9DA2.tmp.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp9DA2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9DA2.tmp.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp9DA2.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp9DA2.tmp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6692ea29-ef85-4230-9c0d-8d9eb6c90d2b.vbs"
        14⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D3C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D3C.tmp.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp6D3C.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp6D3C.tmp.exe"
        15⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4be48a0b-d3ff-4be2-8f60-6bd39293f01c.vbs"
        12⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp5186.tmp.exe"
        13⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d3dc334-c9c4-4f80-96c7-01419b00eb4d.vbs"
        10⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp1FB8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1FB8.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp1FB8.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1FB8.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\306b0902-b145-46be-9d5a-9f144a4d44ca.vbs"
        8⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmpF08A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF08A.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\tmpF08A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF08A.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4940
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d548656a-dd1b-4e8a-b701-ddaf2470ff47.vbs"
        6⤵
        
        PID:4152
      - C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpD4A5.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4840
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3b02adf-7daa-4533-a339-23044a0adc50.vbs"
      4⤵
      PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\tmpB805.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB805.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4704
    - - C:\Users\Admin\AppData\Local\Temp\tmpB805.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpB805.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa8118" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa8118" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\uk-UA\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\IME\uk-UA\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\uk-UA\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\de-DE\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\IME\de-DE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\de-DE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp7D51.tmpt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\tmp7D51.tmp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp7D51.tmp" /sc ONLOGON /tr "'C:\Users\Default User\tmp7D51.tmp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tmp7D51.tmpt" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\tmp7D51.tmp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\INT\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Windows\IdentityCRL\INT\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Globalization\Time Zone\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\Time Zone\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe

Filesize
4.9MB

MD5
7c5669c1eb8e15de18ad5888920de3f7

SHA1
62f204afa1b1c8dda8f0474ce2e5e915ba5d49bb

SHA256
8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811

SHA512
791b8c43b98b3d80b20071b9088bae6171f4e5ae34c1b56fdc7074d0785fc0bd3d9c4efbdabbcf42962725eff9ab543f47004c1f6641777b54dd1d28fe2584db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\8a2f307ad0174e4040dec837791e91c48f3d9b8e944a72678dc14eee2b5aa811.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
624e41a75a6dfd62039973dbbfdbe622

SHA1
f791e4cc85d6ae7039acef57a9025b173d7e963b

SHA256
ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1

SHA512
a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c557aa00dc4a6ff86db4be1735e9d30

SHA1
7c155ad08e280926832bdad0aa948843de2ce5a2

SHA256
aad198f453bdcef5e479c7e622c005782f94d0b391798245284aad9506fa7e48

SHA512
2c311b272941308197e3f2fe9d961dda9682dfd514cc48bc63b156afb0d18cace8635f0d080b9f77ed43e67b551232a6fb5b86e88c2414f8bd2f32cbe5521ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3e242d3c4b39d344f66c494424020c61

SHA1
194e596f33d54482e7880e91dc05e0d247a46399

SHA256
f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

SHA512
27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8a1d5945d69caaa5ad4650aa92416db8

SHA1
fce5ff33231a7b99c4e54afac0b356aa72c86aef

SHA256
536f6c89e5a645ed4b13768d4e63be2900f010b341e04729e79c04af7af1d567

SHA512
04a94cfc967dccb836f2a51b86f861f77421f57bfc6826b00a63a86df995e0e873b38a5c930a15a173b3ea4e768776a13860206468d1bb7ec614ce93f8143cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cbc41bceec6e8cf6d23f68d952487858

SHA1
f52edbceff042ded7209e8be90ec5e09086d62eb

SHA256
b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d

SHA512
0f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c625954a51c4bbd8141206b00f6fc0a

SHA1
4128cb2f9d2984844e303e2e330e448334e5c273

SHA256
952515feb4929cfad2435c679a5fad19242e938e8a7c97afebb1f3d996bd3ec4

SHA512
3f7c4ea0551de5b6237ca13419413e6e73e85632e9bb09b5354d6310b5969f9c3a2dc27142e75e8572c2c65b2bc7615269fad27dcea2f91c389b6758e2630517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
be9c6a21d90825886142766cd312e54b

SHA1
e7e246b00840168afd9258647a9ce03ccd9fb180

SHA256
cac8fe806966ec5f049e11731d0576dca138e3b7b735c8ee84052ef7d918485f

SHA512
70f567a4ac7847adf5196d68f6a7e370cc6d3aa40c0edd4f1190a638adfd109c94ad4c0b9d832b2c4b1cae0105bd0983936944ee824a4b7feed7d1170cfdd464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dcee2c4799aaf7d786c7a18e235934c4

SHA1
92b08222812d2c4392cd5babf316c6509a1d202c

SHA256
33fb8b90e373768d57f2726dc808e2a6319dcea75ed4be819316a4bc3c2f85c1

SHA512
05986414ab12b9b52335528dc4dc1ef6fee378afa09a2858b0ea77cb0c9aaf4339ccae272bbc760ff63d31ad27e8a8206ae0152be82015f49c177cb62b515f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\500b523d-4e8e-4325-833a-d4ac41bd30f1.vbs

Filesize
722B

MD5
e7e2869e40352bd73bcef7145b5cfa08

SHA1
cccc8b0b7132249d052f5ce8479390f8a11f4b78

SHA256
b6f034913deb57e7918a3e7f4a2a582772f46302cf27d72615aded70a8919927

SHA512
5ea7cd3dbad0b83ce1ec3658df7b4528ec6e63997c70457eb03fa6202c33f785e9286620f7dd4a1ea0e1bbdc4fd14f61f5ac65d222c9f92d0050275d6e36b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f1327b9-e93a-4ca3-bba3-face42e238f4.vbs

Filesize
722B

MD5
5fcfb5274e449d89c4d670e1f432e8a0

SHA1
591aeeeec9873a89d25254d8715d584fb6406fa3

SHA256
f2be8fa2a0030f63217f5a34e8d634f12e25baff47252fd0426379349d171ea7

SHA512
55b8ffbe2a3962b58b2e35bd934dfba1162889802c6a6cc677c147e8adae66b4e872bca1c783d2e1ffc5e585d0d9c830e6d2d4a11e22162ec72c5c0eb10752f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dijbc0xk.h0c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\af297ef5-08a4-4b8e-86cc-471350f3bb65.vbs

Filesize
721B

MD5
46bd64ebde378184c7e90cb73d89e929

SHA1
260faf52fb27cc18b3a77d68281617286807a64f

SHA256
d9930d00fc2aa91ceb5b9a442a308569d37e7ecf9af8cacf9c9e983ef230365d

SHA512
4dd311016f5e4995fb11568da37fcb0ad8f69843777038499368a17c5ce576fbb622b7225b1a72c60e0501392d27fdcbf2040f644b418101fe03e091f85c95bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3b02adf-7daa-4533-a339-23044a0adc50.vbs

Filesize
498B

MD5
43fb3da3d7e4f57fa92a4c880387c2b0

SHA1
a51a7c7daee76fa36a9f9bff443363e70ea31e85

SHA256
73f3febc9744ced5eb64b9f050ef428d6f816622ea430c574cba2576be17efbf

SHA512
25c66462490548208752ccdf2941c1370c9ad4efb28e390eb3c725d73593a8669fc03f904798c20523e4b4bd492bbe56211b6be3a1e4943ff230f4ce9205cbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb026231-7782-4880-99c3-41a0035a53de.vbs

Filesize
722B

MD5
95813842dd38609c93e45f81071f9a98

SHA1
1c31c29d48e49a4d95e5e206f5afddaef1dcc373

SHA256
51c68ffb02cc0b047158c069243065ab37708f16cb5290a69696555b736e8d10

SHA512
3cdbddb084679aa82da94fa7a3e89e8b66b362512769070ef97349d5f386463fca627f2b21b5a118a09073b952338d1160df01af9870c4d30b28ddbdde5c50df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D51.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
memory/776-46-0x0000022969CC0000-0x0000022969CE2000-memory.dmp

Filesize
136KB

Download
memory/968-12-0x000000001C9D0000-0x000000001CEF8000-memory.dmp

Filesize
5.2MB

Download
memory/968-154-0x00007FFA2AAA0000-0x00007FFA2B561000-memory.dmp

Filesize
10.8MB

Download
memory/968-10-0x000000001BDF0000-0x000000001BDFA000-memory.dmp

Filesize
40KB

Download
memory/968-16-0x000000001C4A0000-0x000000001C4A8000-memory.dmp

Filesize
32KB

Download
memory/968-18-0x000000001C4C0000-0x000000001C4CC000-memory.dmp

Filesize
48KB

Download
memory/968-17-0x000000001C4B0000-0x000000001C4B8000-memory.dmp

Filesize
32KB

Download
memory/968-13-0x000000001BE10000-0x000000001BE1A000-memory.dmp

Filesize
40KB

Download
memory/968-14-0x000000001BE20000-0x000000001BE2E000-memory.dmp

Filesize
56KB

Download
memory/968-9-0x000000001BBA0000-0x000000001BBB0000-memory.dmp

Filesize
64KB

Download
memory/968-0-0x00007FFA2AAA3000-0x00007FFA2AAA5000-memory.dmp

Filesize
8KB

Download
memory/968-1-0x0000000000A10000-0x0000000000F04000-memory.dmp

Filesize
5.0MB

Download
memory/968-11-0x000000001BE00000-0x000000001BE12000-memory.dmp

Filesize
72KB

Download
memory/968-15-0x000000001BE30000-0x000000001BE3E000-memory.dmp

Filesize
56KB

Download
memory/968-8-0x000000001BB80000-0x000000001BB96000-memory.dmp

Filesize
88KB

Download
memory/968-6-0x00000000017F0000-0x00000000017F8000-memory.dmp

Filesize
32KB

Download
memory/968-7-0x00000000030F0000-0x0000000003100000-memory.dmp

Filesize
64KB

Download
memory/968-5-0x000000001BE40000-0x000000001BE90000-memory.dmp

Filesize
320KB

Download
memory/968-4-0x0000000001820000-0x000000000183C000-memory.dmp

Filesize
112KB

Download
memory/968-2-0x00007FFA2AAA0000-0x00007FFA2B561000-memory.dmp

Filesize
10.8MB

Download
memory/968-3-0x000000001BCC0000-0x000000001BDEE000-memory.dmp

Filesize
1.2MB

Download
memory/2636-150-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3344-455-0x00000000030F0000-0x0000000003102000-memory.dmp

Filesize
72KB

Download