dcrat | 26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Size

1.5MB
MD5

f91496771d28964b72f434ea6126dfa8
SHA1

a4931a74891db919f9fedac48df224239fd06f6b
SHA256

26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7
SHA512

8395779d39446f35acbf91e20e7ba236a4c2b66ee4a90a75898014855775ccd5038b848ba513d3d28faccbce1738d548a322f25f86dbe794b16423b10049dbc1
SSDEEP

24576:0NNUtQhWhtqDfDXQdy+N+gfQqRsgFlDRluQ70eJiVbWpRp:EzhWhCXQFN+0IEuQgyiVKR

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\verclsid\\dwm.exe\", \"C:\\Windows\\System32\\PerfCenterCpl\\winlogon.exe\", \"C:\\Users\\Public\\wininit.exe\", \"C:\\Windows\\System32\\dinput\\spoolsv.exe\", \"C:\\Windows\\System32\\davhlpr\\lsm.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\verclsid\\dwm.exe\", \"C:\\Windows\\System32\\PerfCenterCpl\\winlogon.exe\", \"C:\\Users\\Public\\wininit.exe\", \"C:\\Windows\\System32\\dinput\\spoolsv.exe\", \"C:\\Windows\\System32\\davhlpr\\lsm.exe\", \"C:\\Windows\\System32\\net1\\dllhost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\verclsid\\dwm.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\verclsid\\dwm.exe\", \"C:\\Windows\\System32\\PerfCenterCpl\\winlogon.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\verclsid\\dwm.exe\", \"C:\\Windows\\System32\\PerfCenterCpl\\winlogon.exe\", \"C:\\Users\\Public\\wininit.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\verclsid\\dwm.exe\", \"C:\\Windows\\System32\\PerfCenterCpl\\winlogon.exe\", \"C:\\Users\\Public\\wininit.exe\", \"C:\\Windows\\System32\\dinput\\spoolsv.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2672	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2672	schtasks.exe	30

UAC bypass 3 TTPs 30 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
680	powershell.exe
2832	powershell.exe
600	powershell.exe
1240	powershell.exe
2368	powershell.exe
1600	powershell.exe
2772	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe

Executes dropped EXE 9 IoCs

pid	Process
2948	wininit.exe
2744	wininit.exe
1884	wininit.exe
1956	wininit.exe
856	wininit.exe
2628	wininit.exe
2124	wininit.exe
1256	wininit.exe
964	wininit.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\davhlpr\\lsm.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\net1\\dllhost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\net1\\dllhost.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\verclsid\\dwm.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\PerfCenterCpl\\winlogon.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\wininit.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\dinput\\spoolsv.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\davhlpr\\lsm.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\verclsid\\dwm.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\PerfCenterCpl\\winlogon.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\wininit.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\dinput\\spoolsv.exe\""	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\System32\net1\5940a34987c991	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\PerfCenterCpl\winlogon.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\dinput\spoolsv.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\net1\RCX1EA.tmp	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\verclsid\6cb0b6c459d5d3	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\davhlpr\101b941d020240	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\net1\dllhost.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\dinput\spoolsv.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\davhlpr\RCXFFE7.tmp	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\dinput\RCXFD76.tmp	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\davhlpr\lsm.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\PerfCenterCpl\winlogon.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\PerfCenterCpl\cc11b995f2a76d	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\verclsid\RCXF76A.tmp	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\davhlpr\lsm.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\PerfCenterCpl\RCXF96E.tmp	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\net1\dllhost.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\verclsid\dwm.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File opened for modification	C:\Windows\System32\verclsid\dwm.exe	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
File created	C:\Windows\System32\dinput\f3b6ecef712a24	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe
2940	schtasks.exe
2388	schtasks.exe
2360	schtasks.exe
2212	schtasks.exe
860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
600	powershell.exe
1600	powershell.exe
680	powershell.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2832	powershell.exe
2772	powershell.exe
2368	powershell.exe
1240	powershell.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2948	wininit.exe
2744	wininit.exe
2744	wininit.exe
2744	wininit.exe
2744	wininit.exe
2744	wininit.exe
2744	wininit.exe
2744	wininit.exe
2744	wininit.exe
2744	wininit.exe
2744	wininit.exe
2744	wininit.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2948	wininit.exe
Token: SeDebugPrivilege	2744	wininit.exe
Token: SeDebugPrivilege	1884	wininit.exe
Token: SeDebugPrivilege	1956	wininit.exe
Token: SeDebugPrivilege	856	wininit.exe
Token: SeDebugPrivilege	2628	wininit.exe
Token: SeDebugPrivilege	2124	wininit.exe
Token: SeDebugPrivilege	1256	wininit.exe
Token: SeDebugPrivilege	964	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 680	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	37
PID 2736 wrote to memory of 680	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	37
PID 2736 wrote to memory of 680	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	37
PID 2736 wrote to memory of 2832	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	38
PID 2736 wrote to memory of 2832	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	38
PID 2736 wrote to memory of 2832	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	38
PID 2736 wrote to memory of 1240	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	39
PID 2736 wrote to memory of 1240	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	39
PID 2736 wrote to memory of 1240	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	39
PID 2736 wrote to memory of 600	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	41
PID 2736 wrote to memory of 600	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	41
PID 2736 wrote to memory of 600	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	41
PID 2736 wrote to memory of 2772	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	43
PID 2736 wrote to memory of 2772	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	43
PID 2736 wrote to memory of 2772	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	43
PID 2736 wrote to memory of 1600	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	46
PID 2736 wrote to memory of 1600	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	46
PID 2736 wrote to memory of 1600	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	46
PID 2736 wrote to memory of 2368	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	48
PID 2736 wrote to memory of 2368	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	48
PID 2736 wrote to memory of 2368	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	48
PID 2736 wrote to memory of 2248	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	51
PID 2736 wrote to memory of 2248	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	51
PID 2736 wrote to memory of 2248	2736	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe	51
PID 2248 wrote to memory of 2280	2248	cmd.exe	53
PID 2248 wrote to memory of 2280	2248	cmd.exe	53
PID 2248 wrote to memory of 2280	2248	cmd.exe	53
PID 2248 wrote to memory of 2948	2248	cmd.exe	54
PID 2248 wrote to memory of 2948	2248	cmd.exe	54
PID 2248 wrote to memory of 2948	2248	cmd.exe	54
PID 2948 wrote to memory of 2452	2948	wininit.exe	55
PID 2948 wrote to memory of 2452	2948	wininit.exe	55
PID 2948 wrote to memory of 2452	2948	wininit.exe	55
PID 2948 wrote to memory of 1776	2948	wininit.exe	56
PID 2948 wrote to memory of 1776	2948	wininit.exe	56
PID 2948 wrote to memory of 1776	2948	wininit.exe	56
PID 2452 wrote to memory of 2744	2452	WScript.exe	57
PID 2452 wrote to memory of 2744	2452	WScript.exe	57
PID 2452 wrote to memory of 2744	2452	WScript.exe	57
PID 2744 wrote to memory of 2620	2744	wininit.exe	58
PID 2744 wrote to memory of 2620	2744	wininit.exe	58
PID 2744 wrote to memory of 2620	2744	wininit.exe	58
PID 2744 wrote to memory of 888	2744	wininit.exe	59
PID 2744 wrote to memory of 888	2744	wininit.exe	59
PID 2744 wrote to memory of 888	2744	wininit.exe	59
PID 2620 wrote to memory of 1884	2620	WScript.exe	60
PID 2620 wrote to memory of 1884	2620	WScript.exe	60
PID 2620 wrote to memory of 1884	2620	WScript.exe	60
PID 1884 wrote to memory of 772	1884	wininit.exe	61
PID 1884 wrote to memory of 772	1884	wininit.exe	61
PID 1884 wrote to memory of 772	1884	wininit.exe	61
PID 1884 wrote to memory of 696	1884	wininit.exe	62
PID 1884 wrote to memory of 696	1884	wininit.exe	62
PID 1884 wrote to memory of 696	1884	wininit.exe	62
PID 772 wrote to memory of 1956	772	WScript.exe	63
PID 772 wrote to memory of 1956	772	WScript.exe	63
PID 772 wrote to memory of 1956	772	WScript.exe	63
PID 1956 wrote to memory of 1128	1956	wininit.exe	64
PID 1956 wrote to memory of 1128	1956	wininit.exe	64
PID 1956 wrote to memory of 1128	1956	wininit.exe	64
PID 1956 wrote to memory of 2264	1956	wininit.exe	65
PID 1956 wrote to memory of 2264	1956	wininit.exe	65
PID 1956 wrote to memory of 2264	1956	wininit.exe	65
PID 1128 wrote to memory of 856	1128	WScript.exe	66

System policy modification 1 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe
"C:\Users\Admin\AppData\Local\Temp\26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\verclsid\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\PerfCenterCpl\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\dinput\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\davhlpr\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\net1\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBvYUeTX2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2280
- - C:\Users\Public\wininit.exe
    "C:\Users\Public\wininit.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2948
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a50398cf-da99-4552-b4eb-92ba5e92b5fd.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2744
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d53d2023-2e59-484e-b458-514eaf8cee9d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7123f6e-a7d8-4d73-b470-2f0cf001aa5d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        9⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e82da268-e150-4af1-bf2b-45ea23245d97.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        11⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d45f673a-8987-4610-b22c-4ffee8ee0814.vbs"
        12⤵
        
        PID:2816
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        13⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfd89db0-f293-4c29-8447-3d19503e818b.vbs"
        14⤵
        
        PID:2552
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        15⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f849cc2c-8b95-43c4-a55c-d2a0d4346cd7.vbs"
        16⤵
        
        PID:2276
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        17⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\570bc75d-d8c9-49c1-956d-1b499ed206ed.vbs"
        18⤵
        
        PID:1560
        
        C:\Users\Public\wininit.exe
        
        C:\Users\Public\wininit.exe
        19⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e9042bd-ef92-4c59-94b4-bb80a453d97d.vbs"
        20⤵
        
        PID:680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01305f84-1820-474a-9773-c11e0920bc62.vbs"
        20⤵
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76f524cb-341d-4129-914f-1ace376fc5cb.vbs"
        18⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e26408cf-ad0c-4e99-b155-97dc253aa77c.vbs"
        16⤵
        
        PID:1852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3bd45fa-cb75-4055-a537-5af5c0ab123e.vbs"
        14⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\987a46ad-0105-4907-a2bc-b5f3a1ff46cc.vbs"
        12⤵
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68d7948e-6946-40a0-b3f6-869a517d5a1f.vbs"
        10⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\463246d4-fd3f-4a83-82b6-6a534f71ddf2.vbs"
        8⤵
        
        PID:696
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\700402ce-7fac-41e5-958a-f3ffd26e8241.vbs"
        6⤵
        
        PID:888
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a66f205c-0f4f-4147-9fc7-4b8381ee11c8.vbs"
      4⤵
      PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\verclsid\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\PerfCenterCpl\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\dinput\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\davhlpr\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\net1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\570bc75d-d8c9-49c1-956d-1b499ed206ed.vbs

Filesize
703B

MD5
174cdf010c06c409666f411c78942c61

SHA1
8bbbd4eff7703e218d750f5b58f255e3690eab28

SHA256
1cd4eaf2596acc6ba95d6719319e348b9bbca561ff9f55e0ee0e67ec3a8df77c

SHA512
d63d730235a4ea43c83669613e76d5c055aa21dfc048944b95aac3ed644bce9d9bc5c1243c92c6b19199f2a7e3b3ef4920f1b7d6af01f8302cf51e8c38e57502

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e9042bd-ef92-4c59-94b4-bb80a453d97d.vbs

Filesize
702B

MD5
eba782af7bacd4fb0fd64a880230b1d4

SHA1
005604b80301eb3da94a3b7bcd81eea8fbd59fa7

SHA256
7582ba89a63cc0061a0b315c4a3c0b413d0646ce76812173223ac3c79a9df35c

SHA512
c7d474a7050f2e163ab816d9adcaeb059c3c9fbfd82253a5f80c4f9cfb417befd18638ba613a96efd1115b3f25585a90c42416d371b9f4831db14a93455383be

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqBvYUeTX2.bat

Filesize
191B

MD5
cc6f321c7b2889f5bfcf8b18705efb5b

SHA1
66419482a4d7689119e2504af3e91e3ab6902de8

SHA256
2756fd1330e00eae93e1a89b5d435e0981129c3b424420434874386e4f952a3c

SHA512
934721d3511b9b5648fd70f488fb6c432eab8b2fe0ee6494464bd47d42ded91b180c40a134846f13cdf1ca0ca9c662f757e33be06f84fe6ad8822f6140c69871

Download Submit
C:\Users\Admin\AppData\Local\Temp\a50398cf-da99-4552-b4eb-92ba5e92b5fd.vbs

Filesize
703B

MD5
0850430f5a6b5c5028e4cf8c537f5309

SHA1
9867c51dd470df4953ff2331aae3b96773ccdba1

SHA256
21aa0331ec37af27be49ad77e7c269a642f352b8e895c87cfcd540b1dd8f1c38

SHA512
5f89cf8bbc204f3bdc1b6e0082d355d5d5d9296c202e86ca3dd6c405d02d07b7011da9ca7d6e4540ca3cc23df757621c848e39923747e5eb34b70a71f8d1e6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a66f205c-0f4f-4147-9fc7-4b8381ee11c8.vbs

Filesize
479B

MD5
e12049959000a896aa0f776df93c08a0

SHA1
a2ddbb07126fe46eb7f813e76e0f8eaf89f21529

SHA256
6f9b628488466a5668c17be5f0eac2750e170cc4b36f4e46840df93cec480ceb

SHA512
ea8ad2e0237f433c6d14b580674a321260b1b3fe3963d3099d57070d9073739f96ed6f9a6c29646c30c1ec6c550cc21a0d77f30230a5f85268f4c7f950f7cb31

Download Submit
C:\Users\Admin\AppData\Local\Temp\d45f673a-8987-4610-b22c-4ffee8ee0814.vbs

Filesize
702B

MD5
5208f6424bd41a597310d8c48dd35052

SHA1
a0505a02482ac9698004ba1ffe352506779885b1

SHA256
7113528dbd4c6a455cf3f5b7f207a5adc3c61997d800349548fb99377597fa37

SHA512
2d7fdd07f9234c333ac2039431847f32920d450d64233a9761cf190aeeccfb6375d8e9bd76b3c3207044a400b373bc5a5f85d142fb196c582b6f9a5b644910a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d53d2023-2e59-484e-b458-514eaf8cee9d.vbs

Filesize
703B

MD5
8471a19f6eadd986010bc567da2a1814

SHA1
796c5ad33a5665063081b6f318ce54d77b4d4789

SHA256
e34d987739328b6cfa3db00ec4e5d67244f969f8cf94cb7d8773418129210caf

SHA512
ce4fd93bbf49ddeacdbe151e8945dbbc65ba38ec00ea8a8e7cbe3872e2125fc661f8e72b8ea5bd3eee1d147fe58b3953db82d6daf7899d1928cafb9211c3b5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7123f6e-a7d8-4d73-b470-2f0cf001aa5d.vbs

Filesize
703B

MD5
305951e0459a2d8e6cacb5517024d113

SHA1
9869babc992feaf7227200ad1c78a81293b530e8

SHA256
313959d886d5a661e77ea2f4c72b369d28cd81156cf34726079034a0a789c5e8

SHA512
13d2df8ce7c0828df1a13e8ad9ca84c3de70e805ffc131a9f815ede3e9f59563f5a57dee578658185bb5d38d90d48427de345744ff5e734f55e3e3efa20d6506

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfd89db0-f293-4c29-8447-3d19503e818b.vbs

Filesize
703B

MD5
9896a6c10f371a18f4ef6de4f3a08071

SHA1
b69a75e8534a2fcab592e098dd8a9f9fb31f20f9

SHA256
8fd87fecf4d00a4e388f1278109ebab3e1fd4b30502a0e53db29f68d387e48a6

SHA512
9fc8659ff8784ff42250ae644823ba861ab472c8c461ee1751c43f72d21e6662a0b83ecefa9bd7ab3340eed5cde586310181077880638c992d7e03924742177c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e82da268-e150-4af1-bf2b-45ea23245d97.vbs

Filesize
703B

MD5
c0f9c9974c65a712703427a242dc4df4

SHA1
bcf37a0f379246f149008503479a2084a66a59a3

SHA256
01680d46e0087d91b05c02826e130e5e2188d323e4d9be210ba1c97bb9e4c700

SHA512
de00d28b3dec4dd94a78fc8f7ea5843bf810c8c31541242ca8e51a01d9544d8251e9d4b0c3d46a9c73db7f6762a6a99363a4f5a8dd9a0200fe7235ace00ac4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f849cc2c-8b95-43c4-a55c-d2a0d4346cd7.vbs

Filesize
703B

MD5
3c9e98dc018133266e9b70e2f141a52b

SHA1
f2026219d30d889bb3c430f7a5e3481c0bcd8989

SHA256
59f750129f8cba365cf6bb461cad9d3e7d11779bc05222ee87ad38623b1c2319

SHA512
8dc866dbe7cafd2ed9a984e8331a4faf860e7cc451ae682e1f27ca84694e5435c1b997a3948d9839308bc25084d6c642dc76eb62bc23e932701a940e04c13e20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
587bc45b6be61ce29a2289647d2a50c6

SHA1
4fc4efebe3e0f54ea612263faf711406106bc7ac

SHA256
b56d7cc88d5eb376435b2bd9f6d7dd89614a7a8420003106b61d96b155b3da76

SHA512
02b5137c58c8eafb040bb65d20c678e1df869b0f009088f4b7519043c9dcea757c776f0964d620b5a6cf26e143bc22e7fe4706b3a4f57241e221fbd887c36fab

Download Submit
C:\Windows\System32\davhlpr\RCXFFE7.tmp

Filesize
1.5MB

MD5
af317a49fd5cb3d797b9422cf3a66e71

SHA1
f796914fb9b027a31b0e836b416ce9bc5999d629

SHA256
8d5c7a5f9f4005fd0c2ec0f3b4b59199fe3b5e0be81226ce33eb52f0909563ca

SHA512
86ed5a4f80cfd40c3402c8e7ae9fc48668fa8f8a95374b8b4bb45d41e66d187076eb348a7945c541fd4d5af437b52918e8f481d863897cdbaf4ce7d552e19353

Download Submit
C:\Windows\System32\davhlpr\lsm.exe

Filesize
1.5MB

MD5
f91496771d28964b72f434ea6126dfa8

SHA1
a4931a74891db919f9fedac48df224239fd06f6b

SHA256
26ac4cd501d525afd93aa5db5a4256a84acb6223aaab1836cda9bf5251518fd7

SHA512
8395779d39446f35acbf91e20e7ba236a4c2b66ee4a90a75898014855775ccd5038b848ba513d3d28faccbce1738d548a322f25f86dbe794b16423b10049dbc1

Download Submit
memory/856-167-0x0000000000FB0000-0x000000000112E000-memory.dmp

Filesize
1.5MB

Download
memory/964-218-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/964-217-0x0000000000130000-0x00000000002AE000-memory.dmp

Filesize
1.5MB

Download
memory/1256-205-0x0000000000FD0000-0x000000000114E000-memory.dmp

Filesize
1.5MB

Download
memory/1600-106-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1600-104-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1956-155-0x0000000000080000-0x00000000001FE000-memory.dmp

Filesize
1.5MB

Download
memory/2124-193-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2124-192-0x0000000000270000-0x00000000003EE000-memory.dmp

Filesize
1.5MB

Download
memory/2628-180-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2628-179-0x0000000001020000-0x000000000119E000-memory.dmp

Filesize
1.5MB

Download
memory/2736-12-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/2736-5-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2736-11-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2736-118-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-1-0x0000000000160000-0x00000000002DE000-memory.dmp

Filesize
1.5MB

Download
memory/2736-17-0x0000000002260000-0x000000000226C000-memory.dmp

Filesize
48KB

Download
memory/2736-10-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/2736-9-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2736-8-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2736-6-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2736-15-0x00000000021C0000-0x00000000021CA000-memory.dmp

Filesize
40KB

Download
memory/2736-7-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2736-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/2736-13-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/2736-14-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2736-24-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-4-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2736-21-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2736-20-0x0000000002380000-0x000000000238C000-memory.dmp

Filesize
48KB

Download
memory/2736-3-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2736-18-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/2736-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-16-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2948-122-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2948-121-0x0000000000F80000-0x00000000010FE000-memory.dmp

Filesize
1.5MB

Download