dcrat | 211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Size

4.9MB
MD5

e6c3b728178aafda74462752efcc0d1c
SHA1

ca9bc7682c0e6ef226c1f1390e1369b355366c8f
SHA256

211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6
SHA512

2827bf81f1686a96c1e629c8aac38bebb1947393dd0ae2d9e71619c12fc679df9668bfe05fddae04caa3d83cebe7cae4cbeee0e54173054bffadd004cc8b9c5c
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2280	schtasks.exe	30

UAC bypass 3 TTPs 27 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1084-2-0x000000001B280000-0x000000001B3AE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe
2328	powershell.exe
2504	powershell.exe
1460	powershell.exe
2452	powershell.exe
1972	powershell.exe
2108	powershell.exe
2144	powershell.exe
2052	powershell.exe
436	powershell.exe
2628	powershell.exe
1668	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2276	WmiPrvSE.exe
3020	WmiPrvSE.exe
456	WmiPrvSE.exe
2800	WmiPrvSE.exe
2008	WmiPrvSE.exe
2448	WmiPrvSE.exe
2084	WmiPrvSE.exe
2820	WmiPrvSE.exe

Checks whether UAC is enabled 1 TTPs 18 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Windows\System32\Dism\ja-JP\24dbde2999530e	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Windows\System32\Dism\ja-JP\RCXD5D9.tmp	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files\Windows Journal\ja-JP\winlogon.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1610b97d3ab4a7	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files\Internet Explorer\en-US\0a1fd5f707cd16	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXDE64.tmp	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files (x86)\Google\Temp\24dbde2999530e	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCXD3B6.tmp	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCXDAF9.tmp	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\sppsvc.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXE4CD.tmp	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files\Internet Explorer\en-US\sppsvc.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files\Windows Journal\ja-JP\cc11b995f2a76d	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\RCXE087.tmp	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\winlogon.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\dllhost.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Windows\AppCompat\Programs\5940a34987c991	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXE2AA.tmp	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File opened for modification	C:\Windows\AppCompat\Programs\dllhost.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
File created	C:\Windows\Boot\Fonts\spoolsv.exe	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2964	schtasks.exe
2200	schtasks.exe
2540	schtasks.exe
2120	schtasks.exe
1760	schtasks.exe
2956	schtasks.exe
2800	schtasks.exe
2796	schtasks.exe
2616	schtasks.exe
616	schtasks.exe
2368	schtasks.exe
2172	schtasks.exe
2820	schtasks.exe
1444	schtasks.exe
812	schtasks.exe
2140	schtasks.exe
1764	schtasks.exe
1080	schtasks.exe
2972	schtasks.exe
2552	schtasks.exe
2092	schtasks.exe
2764	schtasks.exe
3044	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
2144	powershell.exe
2628	powershell.exe
1972	powershell.exe
2328	powershell.exe
2052	powershell.exe
2108	powershell.exe
2504	powershell.exe
1460	powershell.exe
2452	powershell.exe
1668	powershell.exe
2848	powershell.exe
436	powershell.exe
2276	WmiPrvSE.exe
3020	WmiPrvSE.exe
456	WmiPrvSE.exe
2800	WmiPrvSE.exe
2008	WmiPrvSE.exe
2448	WmiPrvSE.exe
2084	WmiPrvSE.exe
2820	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	2276	WmiPrvSE.exe
Token: SeDebugPrivilege	3020	WmiPrvSE.exe
Token: SeDebugPrivilege	456	WmiPrvSE.exe
Token: SeDebugPrivilege	2800	WmiPrvSE.exe
Token: SeDebugPrivilege	2008	WmiPrvSE.exe
Token: SeDebugPrivilege	2448	WmiPrvSE.exe
Token: SeDebugPrivilege	2084	WmiPrvSE.exe
Token: SeDebugPrivilege	2820	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2144	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	55
PID 1084 wrote to memory of 2144	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	55
PID 1084 wrote to memory of 2144	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	55
PID 1084 wrote to memory of 1668	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	56
PID 1084 wrote to memory of 1668	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	56
PID 1084 wrote to memory of 1668	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	56
PID 1084 wrote to memory of 2108	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	57
PID 1084 wrote to memory of 2108	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	57
PID 1084 wrote to memory of 2108	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	57
PID 1084 wrote to memory of 1972	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	58
PID 1084 wrote to memory of 1972	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	58
PID 1084 wrote to memory of 1972	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	58
PID 1084 wrote to memory of 2452	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	60
PID 1084 wrote to memory of 2452	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	60
PID 1084 wrote to memory of 2452	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	60
PID 1084 wrote to memory of 1460	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	61
PID 1084 wrote to memory of 1460	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	61
PID 1084 wrote to memory of 1460	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	61
PID 1084 wrote to memory of 2504	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	63
PID 1084 wrote to memory of 2504	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	63
PID 1084 wrote to memory of 2504	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	63
PID 1084 wrote to memory of 2328	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	64
PID 1084 wrote to memory of 2328	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	64
PID 1084 wrote to memory of 2328	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	64
PID 1084 wrote to memory of 2628	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	65
PID 1084 wrote to memory of 2628	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	65
PID 1084 wrote to memory of 2628	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	65
PID 1084 wrote to memory of 436	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	67
PID 1084 wrote to memory of 436	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	67
PID 1084 wrote to memory of 436	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	67
PID 1084 wrote to memory of 2052	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	68
PID 1084 wrote to memory of 2052	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	68
PID 1084 wrote to memory of 2052	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	68
PID 1084 wrote to memory of 2848	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	69
PID 1084 wrote to memory of 2848	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	69
PID 1084 wrote to memory of 2848	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	69
PID 1084 wrote to memory of 2276	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	79
PID 1084 wrote to memory of 2276	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	79
PID 1084 wrote to memory of 2276	1084	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe	79
PID 2276 wrote to memory of 1588	2276	WmiPrvSE.exe	80
PID 2276 wrote to memory of 1588	2276	WmiPrvSE.exe	80
PID 2276 wrote to memory of 1588	2276	WmiPrvSE.exe	80
PID 2276 wrote to memory of 2028	2276	WmiPrvSE.exe	81
PID 2276 wrote to memory of 2028	2276	WmiPrvSE.exe	81
PID 2276 wrote to memory of 2028	2276	WmiPrvSE.exe	81
PID 1588 wrote to memory of 3020	1588	WScript.exe	82
PID 1588 wrote to memory of 3020	1588	WScript.exe	82
PID 1588 wrote to memory of 3020	1588	WScript.exe	82
PID 3020 wrote to memory of 2836	3020	WmiPrvSE.exe	83
PID 3020 wrote to memory of 2836	3020	WmiPrvSE.exe	83
PID 3020 wrote to memory of 2836	3020	WmiPrvSE.exe	83
PID 3020 wrote to memory of 868	3020	WmiPrvSE.exe	84
PID 3020 wrote to memory of 868	3020	WmiPrvSE.exe	84
PID 3020 wrote to memory of 868	3020	WmiPrvSE.exe	84
PID 2836 wrote to memory of 456	2836	WScript.exe	85
PID 2836 wrote to memory of 456	2836	WScript.exe	85
PID 2836 wrote to memory of 456	2836	WScript.exe	85
PID 456 wrote to memory of 336	456	WmiPrvSE.exe	86
PID 456 wrote to memory of 336	456	WmiPrvSE.exe	86
PID 456 wrote to memory of 336	456	WmiPrvSE.exe	86
PID 456 wrote to memory of 2608	456	WmiPrvSE.exe	87
PID 456 wrote to memory of 2608	456	WmiPrvSE.exe	87
PID 456 wrote to memory of 2608	456	WmiPrvSE.exe	87
PID 336 wrote to memory of 2800	336	WScript.exe	88

System policy modification 1 TTPs 27 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe
"C:\Users\Admin\AppData\Local\Temp\211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
  "C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2276
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d54d886-fb1e-4dd4-8281-f324e10790f1.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
      C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:3020
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a642aec-2c23-4776-90fc-81617136317c.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77246e34-485d-4d87-b907-af06581581eb.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e18f30b5-be02-46f6-82be-dc7e2bfeb362.vbs"
        9⤵
        
        PID:1448
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d8ae12b-e02c-448e-8fab-59099a1844eb.vbs"
        11⤵
        
        PID:2432
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1200ec-8240-4fa7-8577-1ab07df84b13.vbs"
        13⤵
        
        PID:2304
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3209383-d685-44c3-ab7f-5decc8592ff0.vbs"
        15⤵
        
        PID:1536
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        
        C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0172f6b-0877-4417-9d12-09c09c5afb39.vbs"
        17⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4be840d6-1223-4925-8bf2-9a457d1745bd.vbs"
        17⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad7bc1f3-9062-42d6-81ff-020b70f1f137.vbs"
        15⤵
        
        PID:1168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\330d2542-f1ff-4022-9f1b-e4168b90e8e5.vbs"
        13⤵
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fea4d9e-e47b-4e6b-bb19-4f4c80fd91ec.vbs"
        11⤵
        
        PID:2032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65ba5881-f73a-495c-9342-878621e15d64.vbs"
        9⤵
        
        PID:1180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99145943-46d1-4de5-bbc3-3779004c0e89.vbs"
        7⤵
        
        PID:2608
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e94e58a-17a7-4cdf-b75f-295a210a11d4.vbs"
        5⤵
        
        PID:868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd43b8ae-2bef-4ab0-bfa6-d6385e25b886.vbs"
    3⤵
    PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\Dism\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\Idle.exe

Filesize
4.9MB

MD5
b7721116b04873088c2cdc35e9005148

SHA1
7bd13e68748da057d6e8acf8b6e995e2e1f4532a

SHA256
9b2bd341fed8a87ba0ed1fd4de072acdf7fb7c1f4d17135426948fb3a7d2cc96

SHA512
ae2a5c53d581552a892d7503b463cb39f2f3a7bcbcbcfd0e9e5e498a8cdd3cad65e5d5500287b2c7ffd4026a7dd8dbe7aa4c06baa0e1968999eb252ca9fb7844

Download Submit
C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe

Filesize
4.9MB

MD5
e6c3b728178aafda74462752efcc0d1c

SHA1
ca9bc7682c0e6ef226c1f1390e1369b355366c8f

SHA256
211189ad4ee0ba326b3de856c081a2604649874e737f1cb5459d34db06d443f6

SHA512
2827bf81f1686a96c1e629c8aac38bebb1947393dd0ae2d9e71619c12fc679df9668bfe05fddae04caa3d83cebe7cae4cbeee0e54173054bffadd004cc8b9c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d8ae12b-e02c-448e-8fab-59099a1844eb.vbs

Filesize
719B

MD5
c90456d7471da29b2121761a002cb2eb

SHA1
092536ba56c912397732a073c4c9f5a3c6fe93c7

SHA256
57eb24ab15264b5789d0cdfc23ba3a0f9d8e1b3239640f074c62d0c1c01f6670

SHA512
734e70c65e73094b0dd3e8e51026f49302ab36d5b2a76d9ddb1c4a0739286de86ba553f773e5dc0fc554b88a1406b0118286bf6c2c5765ae441d00e41d92c54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b1200ec-8240-4fa7-8577-1ab07df84b13.vbs

Filesize
719B

MD5
afa5bdcfa7a3c505ae89826a686ede85

SHA1
993ac8da8a299e0f9836c4e2b2ad1caa6a52184e

SHA256
2c4607818775e3f29a2985aea7cbd46ea81c41d4ff8b9806fe377d949db5d5e1

SHA512
33958576d269f19b3227fc3de947204065a627332b6336f8a69d5a5b4783adb5bf2ea3335b9aeff5929aa07473b15755af009e8d4c9c1699af95c15f95a994b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d54d886-fb1e-4dd4-8281-f324e10790f1.vbs

Filesize
719B

MD5
bff28ce2c1beaef6662c115034e1b2b3

SHA1
19a77fa5efb0028deb5d2d1437a99669dfda4cb4

SHA256
2289f140efaa9e0d3750f2b8b725ce43f747380719454193a7485f1a7308e6ee

SHA512
dc1b37fcc0aceb99e3e2c9f8b4c57c92bd36d9387ab7dee9195d79c3173b31c8e712c5da5a76d8c2c40a42fc3d5035855441525abf644656228b48f0d5f04e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a642aec-2c23-4776-90fc-81617136317c.vbs

Filesize
719B

MD5
533fad3eedb45967a1ab72fe14c5f920

SHA1
0f725b11db78a21e82c0a9d06263a67ec93d072a

SHA256
5ffb91d6f4f849ea51fc6641fb913174dee50fd7f9fd6b459d50731c1d71ddbb

SHA512
04454aa7c23c46d9cd6856efde04898860feebd2ea6b889086ce8df1029cb72cf9704760b79f6ba730c4a272fb706cef078946556105e42c0feac8a5e6761952

Download Submit
C:\Users\Admin\AppData\Local\Temp\77246e34-485d-4d87-b907-af06581581eb.vbs

Filesize
718B

MD5
7090ca89e14f0cc7309e987e5bc90571

SHA1
e917a5d03cd686f40db271f39457517b21f66917

SHA256
359a241f7231e951d0f7d29ec92ac98211f75e858e88e6f53909e34173513209

SHA512
364d721bc870c907d62a682e38b4577fc7fa0bcea26ecfbd603a4045af9459780ce2e569a5d26c2da79197094c05c9ec302388598496d508cbac0d4fa60a7e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0172f6b-0877-4417-9d12-09c09c5afb39.vbs

Filesize
719B

MD5
fde57071d5639d0ac67097aa8a497dd4

SHA1
0e9c4de34d1460308154d30b97232d5557dd9e0d

SHA256
dfe6ac3dcb857a5fc3e19a1cb39959052ae610e6958fc8d95e658912694dd125

SHA512
a4ae4b6342139b752039f71334bd2d5ea33d83c7187cb2383487292d21d489f25ed16629c94dcd35720c443411fe274b9a81437b283c1bc5cad2ddef5b9bd0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd43b8ae-2bef-4ab0-bfa6-d6385e25b886.vbs

Filesize
495B

MD5
41e9e1be091232c187a27d82b799ead8

SHA1
44ddb5bc53dcfe3bf1e22f883232debe9659f14b

SHA256
1fd05249ec1e601336108f72981d9a56a32ebf8c705c31ab35f75f0b9ef38330

SHA512
8c7a12240ed02ed0023252f58be317af89c47db213aa84220f98df14adb3610d5a25ea444a9bf93761fbed9c20525e81fb90fd98ceab10dc67513ec754ce7a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\e18f30b5-be02-46f6-82be-dc7e2bfeb362.vbs

Filesize
719B

MD5
857db69eecc831fcf16b1bae7f47a8a5

SHA1
78a55e8773a71022ff385ada01aff5e394472004

SHA256
f5047f85d68d71b5cd9fc7ce0f52ac701c21cb733debfb9cce6d6337d036d60c

SHA512
7aa4a7ffa7bf3d3ead4443fd0c432d608fd4ebce80de8112f4459dbbec1f98b4ea3348355e3f937b76838a2e8de5d231ca9e16ebb3e8a3fb29d645cd0a06413f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3209383-d685-44c3-ab7f-5decc8592ff0.vbs

Filesize
719B

MD5
ecbb90184dec7c32cdf4875010b8f742

SHA1
3f17bb4f7f8553d34322007950ccc88f66fb3750

SHA256
11dca6a1dca4005355dcc724c267c5cf8707cdf48a42e692947c57482ce8b758

SHA512
8bb5efa195c349175c64ef472480e051ec30d8b1f59fb6b9bfba7a231af911e48d5be7daafdfe795caa6e885f20b8dfc663f718fe425adc0fd3cd265b2cdae23

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFAC3.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dfde0f63c39609120e40f795d52c8c45

SHA1
da2f8a2bcc63e0cfca677f944dacb63a743e8d2c

SHA256
d5c4a804cc6be9ea0b4e96915c0817ab9717f4645b5d04e18c95a5b0a161de9c

SHA512
c0bc47fdb10f56bdf6ee05fbd946b55511b7f2ec344a300da71632134f98dab62693cb1cf07c39e2c16e686a3db59c70139b0ecc449045163c2a74a4d57c7834

Download Submit
memory/456-192-0x0000000000B20000-0x0000000000B32000-memory.dmp

Filesize
72KB

Download
memory/456-191-0x0000000000DF0000-0x00000000012E4000-memory.dmp

Filesize
5.0MB

Download
memory/1084-10-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/1084-12-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

Filesize
56KB

Download
memory/1084-15-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

Filesize
32KB

Download
memory/1084-14-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/1084-79-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

Filesize
4KB

Download
memory/1084-94-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1084-13-0x0000000000DE0000-0x0000000000DEE000-memory.dmp

Filesize
56KB

Download
memory/1084-16-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/1084-4-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/1084-5-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1084-162-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1084-2-0x000000001B280000-0x000000001B3AE000-memory.dmp

Filesize
1.2MB

Download
memory/1084-11-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/1084-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

Filesize
4KB

Download
memory/1084-1-0x0000000001190000-0x0000000001684000-memory.dmp

Filesize
5.0MB

Download
memory/1084-9-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/1084-8-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/1084-7-0x0000000000B80000-0x0000000000B96000-memory.dmp

Filesize
88KB

Download
memory/1084-6-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1084-3-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-113-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/2008-222-0x00000000002A0000-0x0000000000794000-memory.dmp

Filesize
5.0MB

Download
memory/2084-252-0x0000000000CD0000-0x00000000011C4000-memory.dmp

Filesize
5.0MB

Download
memory/2144-117-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2276-116-0x0000000000E60000-0x0000000001354000-memory.dmp

Filesize
5.0MB

Download
memory/2448-237-0x0000000000860000-0x0000000000D54000-memory.dmp

Filesize
5.0MB

Download
memory/2800-207-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/3020-176-0x00000000003D0000-0x00000000008C4000-memory.dmp

Filesize
5.0MB

Download