dcrat | 903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
Size

4.9MB
MD5

c8aed5ed45bf6b161c7017b923dd50c0
SHA1

6df5c1fe6bee119c27b87532cf0d13c31fa3a2dc
SHA256

903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5
SHA512

496c2da4e5514f9dfd2b0c02096f38cde4203c3022d41df83a4a497b268e13732c8c2dd9e68cc697eae42505b808e674c862787ee337dca6c92e024b90333c5f
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2120	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2120	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1508-3-0x000000001B3C0000-0x000000001B4EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1608	powershell.exe
1252	powershell.exe
2652	powershell.exe
2520	powershell.exe
2244	powershell.exe
2904	powershell.exe
1084	powershell.exe
2080	powershell.exe
536	powershell.exe
2240	powershell.exe
740	powershell.exe
1940	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1584	WmiPrvSE.exe
1696	WmiPrvSE.exe
864	WmiPrvSE.exe
964	WmiPrvSE.exe
2424	WmiPrvSE.exe
2340	WmiPrvSE.exe
1160	WmiPrvSE.exe
1692	WmiPrvSE.exe
1868	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hu-HU\smss.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Windows\SysWOW64\hu-HU\69ddcba757bf72	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Windows\SysWOW64\hu-HU\RCX72D.tmp	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Windows\SysWOW64\hu-HU\smss.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Journal\RCXFA99.tmp	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\csrss.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\RCXFA9.tmp	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Program Files\Windows Journal\fr-FR\0a1fd5f707cd16	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Program Files\Windows Journal\csrss.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Program Files\Windows Journal\csrss.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Program Files\Windows Journal\886983d96e3d3e	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX13C1.tmp	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Program Files\Windows Journal\fr-FR\sppsvc.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\42af1c969fbb7b	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCXDA6.tmp	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\sppsvc.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Rules\en-US\System.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Windows\security\audit\WmiPrvSE.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\System.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Windows\Fonts\RCXF48D.tmp	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Windows\security\audit\RCXFC9D.tmp	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Windows\Fonts\audiodg.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Windows\Fonts\audiodg.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Windows\Fonts\42af1c969fbb7b	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Windows\security\audit\WmiPrvSE.exe	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Windows\security\audit\24dbde2999530e	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File created	C:\Windows\PLA\Rules\en-US\27d1bcfc3c54e0	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
File opened for modification	C:\Windows\PLA\Rules\en-US\RCX931.tmp	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2768	schtasks.exe
2924	schtasks.exe
536	schtasks.exe
1916	schtasks.exe
1816	schtasks.exe
2624	schtasks.exe
2888	schtasks.exe
2780	schtasks.exe
2168	schtasks.exe
1396	schtasks.exe
2508	schtasks.exe
988	schtasks.exe
2724	schtasks.exe
1284	schtasks.exe
2904	schtasks.exe
2200	schtasks.exe
1860	schtasks.exe
1376	schtasks.exe
3064	schtasks.exe
2648	schtasks.exe
1260	schtasks.exe
2076	schtasks.exe
1760	schtasks.exe
2092	schtasks.exe
2952	schtasks.exe
1364	schtasks.exe
3016	schtasks.exe
2688	schtasks.exe
2556	schtasks.exe
2900	schtasks.exe
1632	schtasks.exe
2472	schtasks.exe
628	schtasks.exe
864	schtasks.exe
2044	schtasks.exe
2580	schtasks.exe
1780	schtasks.exe
2276	schtasks.exe
2124	schtasks.exe
548	schtasks.exe
2956	schtasks.exe
324	schtasks.exe
1792	schtasks.exe
1912	schtasks.exe
1796	schtasks.exe
1500	schtasks.exe
1748	schtasks.exe
1728	schtasks.exe
2208	schtasks.exe
2460	schtasks.exe
2268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
2520	powershell.exe
2240	powershell.exe
536	powershell.exe
1084	powershell.exe
2244	powershell.exe
740	powershell.exe
2080	powershell.exe
1252	powershell.exe
2904	powershell.exe
2652	powershell.exe
1608	powershell.exe
1940	powershell.exe
1584	WmiPrvSE.exe
1696	WmiPrvSE.exe
864	WmiPrvSE.exe
964	WmiPrvSE.exe
2424	WmiPrvSE.exe
2340	WmiPrvSE.exe
1160	WmiPrvSE.exe
1692	WmiPrvSE.exe
1868	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1584	WmiPrvSE.exe
Token: SeDebugPrivilege	1696	WmiPrvSE.exe
Token: SeDebugPrivilege	864	WmiPrvSE.exe
Token: SeDebugPrivilege	964	WmiPrvSE.exe
Token: SeDebugPrivilege	2424	WmiPrvSE.exe
Token: SeDebugPrivilege	2340	WmiPrvSE.exe
Token: SeDebugPrivilege	1160	WmiPrvSE.exe
Token: SeDebugPrivilege	1692	WmiPrvSE.exe
Token: SeDebugPrivilege	1868	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2080	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	84
PID 1508 wrote to memory of 2080	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	84
PID 1508 wrote to memory of 2080	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	84
PID 1508 wrote to memory of 536	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	85
PID 1508 wrote to memory of 536	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	85
PID 1508 wrote to memory of 536	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	85
PID 1508 wrote to memory of 2240	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	86
PID 1508 wrote to memory of 2240	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	86
PID 1508 wrote to memory of 2240	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	86
PID 1508 wrote to memory of 1252	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	87
PID 1508 wrote to memory of 1252	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	87
PID 1508 wrote to memory of 1252	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	87
PID 1508 wrote to memory of 2652	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	88
PID 1508 wrote to memory of 2652	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	88
PID 1508 wrote to memory of 2652	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	88
PID 1508 wrote to memory of 740	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	89
PID 1508 wrote to memory of 740	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	89
PID 1508 wrote to memory of 740	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	89
PID 1508 wrote to memory of 2520	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	90
PID 1508 wrote to memory of 2520	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	90
PID 1508 wrote to memory of 2520	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	90
PID 1508 wrote to memory of 2244	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	91
PID 1508 wrote to memory of 2244	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	91
PID 1508 wrote to memory of 2244	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	91
PID 1508 wrote to memory of 2904	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	92
PID 1508 wrote to memory of 2904	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	92
PID 1508 wrote to memory of 2904	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	92
PID 1508 wrote to memory of 1940	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	93
PID 1508 wrote to memory of 1940	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	93
PID 1508 wrote to memory of 1940	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	93
PID 1508 wrote to memory of 1084	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	94
PID 1508 wrote to memory of 1084	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	94
PID 1508 wrote to memory of 1084	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	94
PID 1508 wrote to memory of 1608	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	95
PID 1508 wrote to memory of 1608	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	95
PID 1508 wrote to memory of 1608	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	95
PID 1508 wrote to memory of 2032	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	105
PID 1508 wrote to memory of 2032	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	105
PID 1508 wrote to memory of 2032	1508	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe	105
PID 2032 wrote to memory of 2432	2032	cmd.exe	110
PID 2032 wrote to memory of 2432	2032	cmd.exe	110
PID 2032 wrote to memory of 2432	2032	cmd.exe	110
PID 2032 wrote to memory of 1584	2032	cmd.exe	111
PID 2032 wrote to memory of 1584	2032	cmd.exe	111
PID 2032 wrote to memory of 1584	2032	cmd.exe	111
PID 1584 wrote to memory of 2556	1584	WmiPrvSE.exe	112
PID 1584 wrote to memory of 2556	1584	WmiPrvSE.exe	112
PID 1584 wrote to memory of 2556	1584	WmiPrvSE.exe	112
PID 1584 wrote to memory of 1080	1584	WmiPrvSE.exe	113
PID 1584 wrote to memory of 1080	1584	WmiPrvSE.exe	113
PID 1584 wrote to memory of 1080	1584	WmiPrvSE.exe	113
PID 2556 wrote to memory of 1696	2556	WScript.exe	114
PID 2556 wrote to memory of 1696	2556	WScript.exe	114
PID 2556 wrote to memory of 1696	2556	WScript.exe	114
PID 1696 wrote to memory of 1748	1696	WmiPrvSE.exe	115
PID 1696 wrote to memory of 1748	1696	WmiPrvSE.exe	115
PID 1696 wrote to memory of 1748	1696	WmiPrvSE.exe	115
PID 1696 wrote to memory of 1588	1696	WmiPrvSE.exe	116
PID 1696 wrote to memory of 1588	1696	WmiPrvSE.exe	116
PID 1696 wrote to memory of 1588	1696	WmiPrvSE.exe	116
PID 1748 wrote to memory of 864	1748	WScript.exe	117
PID 1748 wrote to memory of 864	1748	WScript.exe	117
PID 1748 wrote to memory of 864	1748	WScript.exe	117
PID 864 wrote to memory of 2520	864	WmiPrvSE.exe	118

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe
"C:\Users\Admin\AppData\Local\Temp\903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5u8HFbvhjA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2432
- - C:\Users\Admin\Desktop\WmiPrvSE.exe
    "C:\Users\Admin\Desktop\WmiPrvSE.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1584
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52bc1f04-1e50-4976-9a66-6cbfda4c44ab.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Users\Admin\Desktop\WmiPrvSE.exe
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1696
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\170834e0-539d-4b11-a4ff-48c6a1989317.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71dfb109-f37c-4147-823d-dc278d064fc0.vbs"
        8⤵
        
        PID:2520
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ef00228-0108-4de6-9a92-15f7b66e2d66.vbs"
        10⤵
        
        PID:1996
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77e66d7b-bab5-4004-b447-484d5d59f00d.vbs"
        12⤵
        
        PID:1524
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\201901a9-8212-4ff5-97e3-06dc73b886e0.vbs"
        14⤵
        
        PID:2240
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93180363-8e48-4a57-808f-e452f1a86b55.vbs"
        16⤵
        
        PID:2936
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fc6c388-5072-4b80-9025-e3e7e388d74c.vbs"
        18⤵
        
        PID:1480
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        
        C:\Users\Admin\Desktop\WmiPrvSE.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\294ccdc7-c083-4285-8c85-595afba002b2.vbs"
        18⤵
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508a9104-9345-4f27-ac54-4fb5ac2b5aa8.vbs"
        16⤵
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64789560-fde5-4dad-9471-ca9bc780b839.vbs"
        14⤵
        
        PID:912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\219cbf3a-0daf-4087-9070-1336292ede55.vbs"
        12⤵
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c531b548-a5a7-45c5-9b76-744ac27cc0e1.vbs"
        10⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52491be4-658a-4886-8e0a-cd593af171ec.vbs"
        8⤵
        
        PID:2092
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d999c42f-e99c-4088-93e7-422adb8a348d.vbs"
        6⤵
        
        PID:1588
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5c0047d-2b24-412e-9c5c-066ee11d70d1.vbs"
      4⤵
      PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Fonts\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Cookies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\security\audit\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\security\audit\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\security\audit\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Contacts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\hu-HU\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SysWOW64\hu-HU\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\hu-HU\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Rules\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Rules\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ef00228-0108-4de6-9a92-15f7b66e2d66.vbs

Filesize
710B

MD5
3496cba5c352017f151892607a28d28c

SHA1
3da1b01794e24cdd637f5e996e9dba97bf86a56a

SHA256
5363dc53e449c9660db1dedba986ecb230b6967d24e43caf2077c72836ca83cc

SHA512
8725b572f5734744ba1d9524ef1284ee8b08002f19902582c5ebb3bc3f52fcf2a4d7e852e10975115333d80ab66e0c27ed3a98a51e9f39591e13a605f02c417a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fc6c388-5072-4b80-9025-e3e7e388d74c.vbs

Filesize
711B

MD5
8f0e19b476ec573f3f35431b16664cec

SHA1
d5e245a1b8bbb7546a3be7211e291047ddec80ab

SHA256
343608c09426aea57fadc320f671810197271257c72977f41dffb8a25af96af4

SHA512
791ca5094eba69d6a91e5e27cc587ad2298c07c4ef3b4c2ee951d988cbe1b9ea6969315b2b58acf5861e4b97628eaa8b8d1dcd3deb42b13ff36caf44095e4c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\170834e0-539d-4b11-a4ff-48c6a1989317.vbs

Filesize
711B

MD5
007369baccd0558a1f088c2808b80274

SHA1
369d8992e79498f669870cba5d16dae66f78ff77

SHA256
be523cbb4ad23f7738897cd1496dcd09d2d8b8a5af5043096671c53a932fff09

SHA512
377382f304ef4f65fa77b71bc8e47aa4332cba0eed22d3cfc5a84085f291aade526360d45ea6a7c4c533230dd97bbeaf276680eec6b1d545a0a37306390f3ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\201901a9-8212-4ff5-97e3-06dc73b886e0.vbs

Filesize
711B

MD5
66e850fcf9e7102c6ebc9925116a6a01

SHA1
0288fbbf0efb093947ec2a0be4a1d1977b8d94c7

SHA256
a989e50aeebb3595e566f99eea67567a85dcacab3b73dee6001ff5befd6c2a31

SHA512
84425a5f94d8d2519a29420661191c895ee8cd69da332c87e6364eb2d613d1500fb67a756a61bafa29cd9d37664a0a953ffa39907d472b6c95b01cbf399db05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\52bc1f04-1e50-4976-9a66-6cbfda4c44ab.vbs

Filesize
711B

MD5
b5788be02c18b86a5bdfae7c867c47b3

SHA1
159e4a7086d97a979246f282f451f2a01840b029

SHA256
7604f5af46a685aa3199c07801312d27ad5cc4a1993aea2322f8c71dce9154b2

SHA512
76d42263943514b9e6cea8815b126795fc6312c717a94f87636b25d5b06329350b18765509abc94c6370e5b461bcf052ef09603b5ca1c32265ee17febd5eb57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5u8HFbvhjA.bat

Filesize
200B

MD5
5ff1e8c2bd132fcbc0fef300c1e3ab67

SHA1
4851c8b8f75238683275399d248cb3d3b745458b

SHA256
cfc61e3a8af27a419d8b82ba8be62164263bcaa158659d05159552fa2134aa48

SHA512
5526943f1f4bade0b9c896e661ea4cb971a356a128e95357ae68cbe580151e3de4daa3c6da2887c30856d9092c809c542fca66f51df86af8c1cc89109ecf2427

Download Submit
C:\Users\Admin\AppData\Local\Temp\71dfb109-f37c-4147-823d-dc278d064fc0.vbs

Filesize
710B

MD5
4f5ded44b9606f42ca95593dbae716bb

SHA1
56533c89a15e2f5a57e75de22254242ed32f49de

SHA256
57db62c7c515b93e46a46a405d176d6ec6c446f95753284117a84f42903f1cc6

SHA512
fd99b98f2ad43ea1dab547d2d0771bf8607af3e287d4a15faa6cbb63379106def8957eea08a6cbca1f8375c704c2c9a092081fcbab9ca549e838007f04fe0e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\77e66d7b-bab5-4004-b447-484d5d59f00d.vbs

Filesize
711B

MD5
554c10892e76ae864ede51beda2b57f5

SHA1
8783031dfa7621a565722c97dae647c88da66bcb

SHA256
dd7f1738cc54eadd956e1e04809f99d6125ca8f11cd36d8169374591816c0640

SHA512
c93d8d74ee2ec3b0cbf4a49d59c0720ba13486b5c76e78915120b40f546087a4ddd4d08a6fb78b61a73d011ef483f8ad3a23fa95a341a7ebf62dbca199309c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\93180363-8e48-4a57-808f-e452f1a86b55.vbs

Filesize
711B

MD5
b3015bc707fa8717193014acebde40f2

SHA1
8be2e3611d89c179562f2c85cdc62812dc38e552

SHA256
a6c6cb05f11280177b1c5f27eb4e32885fb4c6fb509858723a970c3f890da8f7

SHA512
66e6d0908ea3c6a031ef367bcd2e57e8441db3ff07cdc998d255d745496ad7c01f751d9dfa466d63e180a97f0e7edbf883224b86c94b8606a621279b6245a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5c0047d-2b24-412e-9c5c-066ee11d70d1.vbs

Filesize
487B

MD5
9dfa43d9c2eeee80c1c23118e71a4dc4

SHA1
b33efb01cbfd79c27fdbe8ed6140c9bdb4823dcf

SHA256
e0d1c1d550cb75102e09f5706854a09f9fe90b1a76b829379fc5ce5c4831fc5c

SHA512
f1ce2c06afb86b7a7025cca7b6c71601f75f984de02000266d7f30b96e9351595fa30dbeac8bf4d444e125d9ccd92b79e01c6817e02bf12d2771468ed9221c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3EE4.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
75b09fa7bbabcfa0c555f101c0b15abe

SHA1
7fe3bfc8b60f3fc1627a667b8f0d68326480c66b

SHA256
4213ca399425c2b293d97bbf63a255dc11882ed45cb91cdfea1a80a84efac165

SHA512
260c64b6e65c95cb33d9a9e3522af4fcceb26a16d7ff6018dfef85b46a0990f1e5e46de5b20ec4d1bc6923b4225311317074d7d28fa55caa6a5a1747b6fcfbb5

Download Submit
C:\Users\Admin\Contacts\RCX112.tmp

Filesize
4.9MB

MD5
4ae34d9760ed88d8cc4d8b5c2eb84952

SHA1
129d38be6816f811eb66f5b4a7d50776c37d7ddf

SHA256
940f2002439c2ded6799f3bc7e552b9271975879cf9a55062f5a958215a3f68c

SHA512
0d173eccdde842b77c5365095182c927b3f3990d3e6062d87bec2e8bf6f832430e45cca50dbf0f7e13e21bda6da9b4e485f97a7fea295eeb72ba19f439ec55dd

Download Submit
C:\Users\Default\smss.exe

Filesize
4.9MB

MD5
5c646259e03282fe997cc178d15e8e4a

SHA1
1906ab5facf0f2d7b8e4b4c8a59a276bd636c020

SHA256
e0d9f46b46c867a7c65bbe7138c5ca320a8f3fb10189c05aea17fcc24270639e

SHA512
c2f930502d49074f054df8924414fccc39a8b33c5d1c8a0fa1d67d425683a99508603b5b36232468490faa40752defb2e854802f6176f83007b724e6e01ed613

Download Submit
C:\Windows\security\audit\WmiPrvSE.exe

Filesize
4.9MB

MD5
c8aed5ed45bf6b161c7017b923dd50c0

SHA1
6df5c1fe6bee119c27b87532cf0d13c31fa3a2dc

SHA256
903d97d23fcc278c60a38da555df52ae220b7cfd9668589ad538453f9438cad5

SHA512
496c2da4e5514f9dfd2b0c02096f38cde4203c3022d41df83a4a497b268e13732c8c2dd9e68cc697eae42505b808e674c862787ee337dca6c92e024b90333c5f

Download Submit
memory/536-208-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/864-273-0x00000000008B0000-0x0000000000DA4000-memory.dmp

Filesize
5.0MB

Download
memory/964-288-0x0000000000380000-0x0000000000874000-memory.dmp

Filesize
5.0MB

Download
memory/964-289-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/1160-334-0x0000000001020000-0x0000000001514000-memory.dmp

Filesize
5.0MB

Download
memory/1508-11-0x000000001AF10000-0x000000001AF1A000-memory.dmp

Filesize
40KB

Download
memory/1508-5-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/1508-178-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

Filesize
9.9MB

Download
memory/1508-145-0x000007FEF4E53000-0x000007FEF4E54000-memory.dmp

Filesize
4KB

Download
memory/1508-1-0x00000000002F0000-0x00000000007E4000-memory.dmp

Filesize
5.0MB

Download
memory/1508-16-0x000000001AF60000-0x000000001AF6C000-memory.dmp

Filesize
48KB

Download
memory/1508-15-0x000000001AF50000-0x000000001AF58000-memory.dmp

Filesize
32KB

Download
memory/1508-2-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

Filesize
9.9MB

Download
memory/1508-14-0x000000001AF40000-0x000000001AF48000-memory.dmp

Filesize
32KB

Download
memory/1508-13-0x000000001AF30000-0x000000001AF3E000-memory.dmp

Filesize
56KB

Download
memory/1508-12-0x000000001AF20000-0x000000001AF2E000-memory.dmp

Filesize
56KB

Download
memory/1508-3-0x000000001B3C0000-0x000000001B4EE000-memory.dmp

Filesize
1.2MB

Download
memory/1508-0-0x000007FEF4E53000-0x000007FEF4E54000-memory.dmp

Filesize
4KB

Download
memory/1508-10-0x000000001AB30000-0x000000001AB42000-memory.dmp

Filesize
72KB

Download
memory/1508-9-0x000000001AB20000-0x000000001AB2A000-memory.dmp

Filesize
40KB

Download
memory/1508-7-0x000000001AB00000-0x000000001AB16000-memory.dmp

Filesize
88KB

Download
memory/1508-8-0x0000000002310000-0x0000000002320000-memory.dmp

Filesize
64KB

Download
memory/1508-6-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/1508-4-0x0000000000A30000-0x0000000000A4C000-memory.dmp

Filesize
112KB

Download
memory/1508-160-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

Filesize
9.9MB

Download
memory/1584-244-0x0000000000EE0000-0x00000000013D4000-memory.dmp

Filesize
5.0MB

Download
memory/1696-258-0x0000000000310000-0x0000000000804000-memory.dmp

Filesize
5.0MB

Download
memory/2340-319-0x0000000000080000-0x0000000000574000-memory.dmp

Filesize
5.0MB

Download
memory/2424-304-0x0000000000B40000-0x0000000001034000-memory.dmp

Filesize
5.0MB

Download
memory/2520-230-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download