dcrat | cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Size

1.5MB
MD5

9e54b620ba5ba95578b28cf40ce2f690
SHA1

861c80cee6a1da4b207354fa67bf6d048e52cc1c
SHA256

cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3b
SHA512

e77aae75f9d9dc2843ec3b0a0b8561acfc4ab873fcd91e8d73f01179a889c837229b1d0e05fc6f948355ac638429a8e0aec53a6aaecc0ccfa6a5562a5dd78c96
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpR:EzhWhCXQFN+0IEuQgyiVK

Score

10^/10

dcrat evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\notepad\\explorer.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\notepad\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\notepad\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Windows\\System32\\wbem\\smtpcons\\WmiPrvSE.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\notepad\\explorer.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\", \"C:\\Windows\\System32\\wbem\\smtpcons\\WmiPrvSE.exe\", \"C:\\Documents and Settings\\wininit.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2856	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2856	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2856	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2856	schtasks.exe	31

UAC bypass 3 TTPs 36 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1808	powershell.exe
600	powershell.exe
1488	powershell.exe
928	powershell.exe
1120	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Executes dropped EXE 11 IoCs

pid	Process
1300	explorer.exe
2160	explorer.exe
2664	explorer.exe
3048	explorer.exe
2776	explorer.exe
2264	explorer.exe
2752	explorer.exe
2284	explorer.exe
2548	explorer.exe
608	explorer.exe
2156	explorer.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Documents and Settings\\wininit.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Documents and Settings\\wininit.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\notepad\\explorer.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\notepad\\explorer.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\smss.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\smtpcons\\WmiPrvSE.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\smtpcons\\WmiPrvSE.exe\""	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Checks whether UAC is enabled 1 TTPs 24 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\wbem\smtpcons\24dbde2999530e	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Windows\System32\wbem\smtpcons\RCXECA3.tmp	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Windows\System32\wbem\smtpcons\WmiPrvSE.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File created	C:\Windows\System32\wbem\smtpcons\WmiPrvSE.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\notepad\explorer.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Windows\notepad\explorer.exe	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File created	C:\Windows\notepad\7a0fd90576e088	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
File opened for modification	C:\Windows\notepad\RCXE81F.tmp	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2568	schtasks.exe
2844	schtasks.exe
2648	schtasks.exe
2832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
928	powershell.exe
1120	powershell.exe
600	powershell.exe
1808	powershell.exe
1488	powershell.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe
2160	explorer.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1300	explorer.exe
Token: SeDebugPrivilege	2160	explorer.exe
Token: SeDebugPrivilege	2664	explorer.exe
Token: SeDebugPrivilege	3048	explorer.exe
Token: SeDebugPrivilege	2776	explorer.exe
Token: SeDebugPrivilege	2264	explorer.exe
Token: SeDebugPrivilege	2752	explorer.exe
Token: SeDebugPrivilege	2284	explorer.exe
Token: SeDebugPrivilege	2548	explorer.exe
Token: SeDebugPrivilege	608	explorer.exe
Token: SeDebugPrivilege	2156	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 928	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	36
PID 1224 wrote to memory of 928	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	36
PID 1224 wrote to memory of 928	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	36
PID 1224 wrote to memory of 1120	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	37
PID 1224 wrote to memory of 1120	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	37
PID 1224 wrote to memory of 1120	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	37
PID 1224 wrote to memory of 1808	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	38
PID 1224 wrote to memory of 1808	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	38
PID 1224 wrote to memory of 1808	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	38
PID 1224 wrote to memory of 1488	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	39
PID 1224 wrote to memory of 1488	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	39
PID 1224 wrote to memory of 1488	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	39
PID 1224 wrote to memory of 600	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	40
PID 1224 wrote to memory of 600	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	40
PID 1224 wrote to memory of 600	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	40
PID 1224 wrote to memory of 1660	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	46
PID 1224 wrote to memory of 1660	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	46
PID 1224 wrote to memory of 1660	1224	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe	46
PID 1660 wrote to memory of 1992	1660	cmd.exe	48
PID 1660 wrote to memory of 1992	1660	cmd.exe	48
PID 1660 wrote to memory of 1992	1660	cmd.exe	48
PID 1660 wrote to memory of 1300	1660	cmd.exe	49
PID 1660 wrote to memory of 1300	1660	cmd.exe	49
PID 1660 wrote to memory of 1300	1660	cmd.exe	49
PID 1300 wrote to memory of 1732	1300	explorer.exe	50
PID 1300 wrote to memory of 1732	1300	explorer.exe	50
PID 1300 wrote to memory of 1732	1300	explorer.exe	50
PID 1300 wrote to memory of 1612	1300	explorer.exe	51
PID 1300 wrote to memory of 1612	1300	explorer.exe	51
PID 1300 wrote to memory of 1612	1300	explorer.exe	51
PID 1732 wrote to memory of 2160	1732	WScript.exe	52
PID 1732 wrote to memory of 2160	1732	WScript.exe	52
PID 1732 wrote to memory of 2160	1732	WScript.exe	52
PID 2160 wrote to memory of 2336	2160	explorer.exe	53
PID 2160 wrote to memory of 2336	2160	explorer.exe	53
PID 2160 wrote to memory of 2336	2160	explorer.exe	53
PID 2160 wrote to memory of 1888	2160	explorer.exe	54
PID 2160 wrote to memory of 1888	2160	explorer.exe	54
PID 2160 wrote to memory of 1888	2160	explorer.exe	54
PID 2336 wrote to memory of 2664	2336	WScript.exe	55
PID 2336 wrote to memory of 2664	2336	WScript.exe	55
PID 2336 wrote to memory of 2664	2336	WScript.exe	55
PID 2664 wrote to memory of 2748	2664	explorer.exe	56
PID 2664 wrote to memory of 2748	2664	explorer.exe	56
PID 2664 wrote to memory of 2748	2664	explorer.exe	56
PID 2664 wrote to memory of 2560	2664	explorer.exe	57
PID 2664 wrote to memory of 2560	2664	explorer.exe	57
PID 2664 wrote to memory of 2560	2664	explorer.exe	57
PID 2748 wrote to memory of 3048	2748	WScript.exe	58
PID 2748 wrote to memory of 3048	2748	WScript.exe	58
PID 2748 wrote to memory of 3048	2748	WScript.exe	58
PID 3048 wrote to memory of 1980	3048	explorer.exe	59
PID 3048 wrote to memory of 1980	3048	explorer.exe	59
PID 3048 wrote to memory of 1980	3048	explorer.exe	59
PID 3048 wrote to memory of 2640	3048	explorer.exe	60
PID 3048 wrote to memory of 2640	3048	explorer.exe	60
PID 3048 wrote to memory of 2640	3048	explorer.exe	60
PID 1980 wrote to memory of 2776	1980	WScript.exe	61
PID 1980 wrote to memory of 2776	1980	WScript.exe	61
PID 1980 wrote to memory of 2776	1980	WScript.exe	61
PID 2776 wrote to memory of 2924	2776	explorer.exe	62
PID 2776 wrote to memory of 2924	2776	explorer.exe	62
PID 2776 wrote to memory of 2924	2776	explorer.exe	62
PID 2776 wrote to memory of 1752	2776	explorer.exe	63

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe
"C:\Users\Admin\AppData\Local\Temp\cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3bN.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\notepad\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\smtpcons\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sDRCghYaf3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1992
- - C:\Windows\notepad\explorer.exe
    "C:\Windows\notepad\explorer.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1300
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04e90fc6-55c7-4fd8-8a8e-70466aacd315.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\notepad\explorer.exe
        
        C:\Windows\notepad\explorer.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2160
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e656146b-ea48-4294-85e0-be1ed929a344.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\notepad\explorer.exe
        
        C:\Windows\notepad\explorer.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70396f3a-e603-45f2-83ef-1b6ef7e0693b.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\notepad\explorer.exe
        
        C:\Windows\notepad\explorer.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\275caf6f-17e0-4fe7-8a6b-5d5c3e79c7f0.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\notepad\explorer.exe
        
        C:\Windows\notepad\explorer.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\334e64b8-4454-4e0a-820c-4305c2659358.vbs"
        12⤵
        
        PID:2924
        
        C:\Windows\notepad\explorer.exe
        
        C:\Windows\notepad\explorer.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4542cc0f-d613-46ec-968e-08cf3204b628.vbs"
        14⤵
        
        PID:1680
        
        C:\Windows\notepad\explorer.exe
        
        C:\Windows\notepad\explorer.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\504909a8-5e29-4cf3-a957-e488930ffd13.vbs"
        16⤵
        
        PID:3000
        
        C:\Windows\notepad\explorer.exe
        
        C:\Windows\notepad\explorer.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7620493-13d8-4167-b1ed-0c47a943c9f3.vbs"
        18⤵
        
        PID:1060
        
        C:\Windows\notepad\explorer.exe
        
        C:\Windows\notepad\explorer.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d9795c6-f67d-498d-b79b-2919a504255f.vbs"
        20⤵
        
        PID:1800
        
        C:\Windows\notepad\explorer.exe
        
        C:\Windows\notepad\explorer.exe
        21⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78430723-6a89-49c9-ae78-ee0b5e1e2c6c.vbs"
        22⤵
        
        PID:1676
        
        C:\Windows\notepad\explorer.exe
        
        C:\Windows\notepad\explorer.exe
        23⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3febc80a-6624-4880-8d82-5101d8eb90ce.vbs"
        24⤵
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a3c21a3-1f0a-4415-b657-f415f177ba63.vbs"
        24⤵
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40976f75-5a53-4480-9c1c-097de2e0ee06.vbs"
        22⤵
        
        PID:888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7aa95130-74cb-4913-984a-3f0941a34fc5.vbs"
        20⤵
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b84c6f2e-6b59-4489-9af1-dbfaac4e3f76.vbs"
        18⤵
        
        PID:2532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a83b781d-de30-42fe-9a99-6021236e8299.vbs"
        16⤵
        
        PID:2736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a7f54c9-c4e0-486e-bd32-4fddb4105828.vbs"
        14⤵
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30b2975a-c039-4f26-890f-2b6f510f4e5d.vbs"
        12⤵
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddb6f0de-4be6-4c01-84c6-256e3c2669f1.vbs"
        10⤵
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d91de7b0-212e-4851-81ba-2c088af653e8.vbs"
        8⤵
        
        PID:2560
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd677f47-ac7a-466a-8b9a-7545f676b8ec.vbs"
        6⤵
        
        PID:1888
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c5f63ab-d56a-47a3-9e96-010059a3bfed.vbs"
      4⤵
      PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\notepad\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\smtpcons\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Documents and Settings\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\04e90fc6-55c7-4fd8-8a8e-70466aacd315.vbs

Filesize
707B

MD5
2dd298230647f3b52b53b24dbcf86403

SHA1
2c17f16856bfb9f5d7a246a33c4da185ccf432f5

SHA256
062c212fd7860ac1c16cc07d4df6eec1d7f7f330e186769708ae534e788760de

SHA512
e81e528211f43848d33ee734213bd33035d2c518a52f58ff6746d767bc2bc1dea9dfb06c1e918537ab4427ecf63b44db27cee8415a648ee5deb88ea6b5b3e2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\275caf6f-17e0-4fe7-8a6b-5d5c3e79c7f0.vbs

Filesize
707B

MD5
43e990e7041fad6dceb0da842eb58dd6

SHA1
2bb2e56b1bd3b54c212c3b9637fac7829d94ddba

SHA256
64141ed0bb1faa537ac65c6416516154a1a6b30b0731eb1d568d8cb3fde55863

SHA512
818a03cb8389078c4cdd1eaafebb80697ac1fbd7820351dc2285d4cb7173d38ebae59ed858cf1a46d663827797c59ebc8023e894d398d3451530f3609aa7b46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\334e64b8-4454-4e0a-820c-4305c2659358.vbs

Filesize
707B

MD5
0b7eede8c6e9209257625a1a821f180c

SHA1
59c2ffa50eddeb9fe1da8baed4c32f28b6be3812

SHA256
d3fe65862fb8d45c60a400eaf9c3eb57d1e0a9e0b2f9471d2c27646437e25b88

SHA512
964dce5c59bc4b267929b5bfcb72b38a31b3b3d159d3c98772bdc953aaa2f48aa6f92625f5b885af17e6aae90c96185e44c471ab25885e9b17e9cd781dda8905

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c5f63ab-d56a-47a3-9e96-010059a3bfed.vbs

Filesize
483B

MD5
7790a8334e90ab6aa1314fde58066435

SHA1
6e4b64ab37a1d04897ecbe876c376ba667b420f9

SHA256
85672b24b071f15da2fb84082c2cd4e8911964d4c6dd029587396c525230be0d

SHA512
7d26aa0295f7e8d1f37f7ea66adb3baddb32fbcabad092817b62e51a14f8152462650fddd6ae008622c1edfa358a36ae94fd923e30f17c487e813bc2e1786d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3febc80a-6624-4880-8d82-5101d8eb90ce.vbs

Filesize
707B

MD5
f650df91fa2ea9abca97e346414824b2

SHA1
1c4b70a016467cb018f15d85bbeb409e11de89ab

SHA256
183563fccbcb6f9524b690eb49a31ec9e7f5d8c00fdb48d59524df0e438f853e

SHA512
ed0442c29ce2498fe94444289b487b03663ea816be25bac37e60791a4aefe7a592be5cf47a2a6e8e79147681eb68cf2786a952fb72892d9fa3f2e3cb3aa17e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\4542cc0f-d613-46ec-968e-08cf3204b628.vbs

Filesize
707B

MD5
02d27b9b3ca508cfc055b73481f3523c

SHA1
5551e354d43242e01143257509d7796c1c10b99f

SHA256
7b25b9b75adaa822a7d3ab2166090d7f6062f0ef300582e5e4f789f434011004

SHA512
f50d333a30bd3549ff1760b5a6ba4d989a0ee72f2681cf2bd76be93242319e6655ff5e12ac3c47651400f4f75a5ce60f772ab18b83e0e5418ef4e71327589357

Download Submit
C:\Users\Admin\AppData\Local\Temp\504909a8-5e29-4cf3-a957-e488930ffd13.vbs

Filesize
707B

MD5
d3b95dac97bfc9f3d2897447d0cef363

SHA1
002203d8376b0712b048196cab6f5897ebc63ee1

SHA256
2f91fb283701bd50382bda68eeda886fce65681102ce99cde2a8903921cac502

SHA512
6cadc08c75187ba48686e599853f171d94fcb610941a9b8b04f85464fba49a453a8738e0cd7d2ad48a4fb4135d74947e23da806f2a31f9a6e24272d8a4e087a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\70396f3a-e603-45f2-83ef-1b6ef7e0693b.vbs

Filesize
707B

MD5
50da51c75ae9e38bee702365ab79cea7

SHA1
e735d1f9afa2b88c49c05e8e598a2223fbe222aa

SHA256
cfbfd30c7d3207a0d56c1989e400b01b19983e04939dad4cdff6b63dc465fcfe

SHA512
20cc1540b7177cda2d334b5daf872b692a83b6af72cc22f471e03f6653fba5b63e87409b39dc88675c6ba157eeff95527f84753c301aa3d2e31290086f6be478

Download Submit
C:\Users\Admin\AppData\Local\Temp\78430723-6a89-49c9-ae78-ee0b5e1e2c6c.vbs

Filesize
706B

MD5
cb8bb0c82347b0f00b06aeb610b4fbc6

SHA1
d498f078a29a14dc47a818b0e3878c688cfc47d1

SHA256
7f53620b42ebb29d95ab79bc9eda4896220bbf51f453b3f6f9d0aa2143e3083b

SHA512
91bd8a5b39f06cd9682be3e273a68ea1b180ac85ccb554ca88d9e0386923a4aaa169fa78e071ce4d599c577c2331841042ede9bda3b5bb7ef899c16ed1fe3c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d9795c6-f67d-498d-b79b-2919a504255f.vbs

Filesize
707B

MD5
c986d83b019974119a02c64ab7223c96

SHA1
0d839a5815bf9c9914db1f60aa2cbd95b4e07c9a

SHA256
e1e1b72c71ee30eea3e9f4d16ccd1e27849611a8b67177cf61574acf4804540a

SHA512
9e84da6a5a93af4f0f9ee05111c905f7032b43a840b2270d3eea2a97804f793b7c67648ee5d330d1c60ba2b5308cf944dd7fd7a842df11699ec86e6179576c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\e656146b-ea48-4294-85e0-be1ed929a344.vbs

Filesize
707B

MD5
b13641b6b04f9fb1706e195912e38018

SHA1
3070592cfab91c4553a99ad64803d014eaa43e8c

SHA256
7280c14ab65f21d48e85aab560a4e42a063939fb916b34188b4a4a2b4e384b46

SHA512
cacca1a999028fcd03847bfec27a0cb3d8ae3f1f659a1043bd9bb8081a8cbe75b1cb29093f8556dc78c5c99231fe17ad7cb1c745715317511f6ab74e4beece87

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7620493-13d8-4167-b1ed-0c47a943c9f3.vbs

Filesize
707B

MD5
f81e1846d9de5e5689c85cc6e7ed273f

SHA1
61a857ffb15a164bcfe67c0c3d5a63658e68f4b5

SHA256
80afe01bf32f61e588d158197cc8468c497e730935ffa86548d9b10f8b0dd2f4

SHA512
d51a66fef42710ce63db83794342b1ab020c5d17cd87392b480e2889058f33506c536e54d0298b0ae3caad409958cb57a7efed963d688e5c1d1d44649655377e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sDRCghYaf3.bat

Filesize
195B

MD5
6d7fb71ba7b0f72eb87a7fba59706e4a

SHA1
513f7cac48a2fe60d6292b399f2744c7ab3a4e44

SHA256
34ee9960726403525b791e0c290fb759da0db8572ad732309ac9e5fb9f621b26

SHA512
3f91ccf49ae02a0822154cc7993fafc22fb09274b397274c317e2589a95b7f658f62b5545ec498c965ab696d0c88d3567c1f1f8e34a30a9e225cd204ebf94e55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
15f2db4ce4ea10965d502611c93bbd6d

SHA1
755c817412953835b1137eb885046aa44f882f64

SHA256
1661627a1afb60652122d535eafc5f99ed5dd1a5632905d44cd1d908862e9790

SHA512
60ddeec73a1b58edfb252d6e86cc38251fe9b9a9f872ab0cf04684d5b1a21b67ae402b2c4b5ffc7c7bc89423d5825ac018ca8c83c0007339fca83009e6f53cd7

Download Submit
C:\Windows\notepad\explorer.exe

Filesize
1.5MB

MD5
9e54b620ba5ba95578b28cf40ce2f690

SHA1
861c80cee6a1da4b207354fa67bf6d048e52cc1c

SHA256
cf3d0568ce093ec551e30d090429d7ac010b4c8b02ae322dad10f889b09dfa3b

SHA512
e77aae75f9d9dc2843ec3b0a0b8561acfc4ab873fcd91e8d73f01179a889c837229b1d0e05fc6f948355ac638429a8e0aec53a6aaecc0ccfa6a5562a5dd78c96

Download Submit
memory/608-201-0x0000000001340000-0x00000000014BE000-memory.dmp

Filesize
1.5MB

Download
memory/928-93-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/928-87-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1224-12-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/1224-13-0x0000000002170000-0x000000000217A000-memory.dmp

Filesize
40KB

Download
memory/1224-21-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/1224-24-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1224-18-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/1224-41-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1224-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/1224-86-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1224-17-0x00000000021B0000-0x00000000021BC000-memory.dmp

Filesize
48KB

Download
memory/1224-16-0x00000000021A0000-0x00000000021A8000-memory.dmp

Filesize
32KB

Download
memory/1224-15-0x0000000002190000-0x000000000219A000-memory.dmp

Filesize
40KB

Download
memory/1224-4-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1224-5-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/1224-3-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/1224-11-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/1224-20-0x0000000002360000-0x000000000236C000-memory.dmp

Filesize
48KB

Download
memory/1224-10-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/1224-1-0x0000000000090000-0x000000000020E000-memory.dmp

Filesize
1.5MB

Download
memory/1224-9-0x0000000002130000-0x000000000213C000-memory.dmp

Filesize
48KB

Download
memory/1224-8-0x0000000002120000-0x0000000002128000-memory.dmp

Filesize
32KB

Download
memory/1224-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/1224-7-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/1224-14-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/1224-6-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/1300-97-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/1300-96-0x0000000000E00000-0x0000000000F7E000-memory.dmp

Filesize
1.5MB

Download
memory/2160-108-0x0000000000200000-0x000000000037E000-memory.dmp

Filesize
1.5MB

Download
memory/2264-155-0x0000000000F70000-0x00000000010EE000-memory.dmp

Filesize
1.5MB

Download
memory/2548-189-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2664-120-0x0000000000CA0000-0x0000000000E1E000-memory.dmp

Filesize
1.5MB

Download
memory/2776-143-0x0000000000220000-0x000000000039E000-memory.dmp

Filesize
1.5MB

Download